diff options
164 files changed, 722 insertions, 719 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f6292a742..6e10d680c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,6 +3,7 @@ on: push: branches: - main + - tmp pull_request: branches: - main @@ -2999,7 +2999,7 @@ static int process_datalink_layer(struct nDPId_reader_thread * const reader_thre return 1; } - struct ndpi_chdlc const * const chdlc = (struct ndpi_chdlc const * const) & packet[eth_offset]; + struct ndpi_chdlc const * const chdlc = (struct ndpi_chdlc const * const)&packet[eth_offset]; *ip_offset = sizeof(struct ndpi_chdlc); *layer3_type = ntohs(chdlc->proto_code); break; @@ -3021,7 +3021,7 @@ static int process_datalink_layer(struct nDPId_reader_thread * const reader_thre if (packet[0] == 0x0f || packet[0] == 0x8f) { - struct ndpi_chdlc const * const chdlc = (struct ndpi_chdlc const * const) & packet[eth_offset]; + struct ndpi_chdlc const * const chdlc = (struct ndpi_chdlc const * const)&packet[eth_offset]; *ip_offset = sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */ *layer3_type = ntohs(chdlc->proto_code); } @@ -3059,7 +3059,7 @@ static int process_datalink_layer(struct nDPId_reader_thread * const reader_thre } struct ndpi_radiotap_header const * const radiotap = - (struct ndpi_radiotap_header const * const) & packet[eth_offset]; + (struct ndpi_radiotap_header const * const)&packet[eth_offset]; uint16_t radio_len = radiotap->len; /* Check Bad FCS presence */ @@ -3886,9 +3886,10 @@ static void ndpi_process_packet(uint8_t * const args, if (is_new_flow != 0) { - flow_to_process->flow_extended.first_seen = flow_to_process->flow_extended.flow_basic.last_pkt_time[direction] = - flow_to_process->flow_extended.flow_basic.last_pkt_time[1 - direction] = - flow_to_process->flow_extended.last_flow_update = workflow->last_thread_time; + last_pkt_time = flow_to_process->flow_extended.first_seen = + flow_to_process->flow_extended.flow_basic.last_pkt_time[direction] = + flow_to_process->flow_extended.flow_basic.last_pkt_time[1 - direction] = + flow_to_process->flow_extended.last_flow_update = workflow->last_thread_time; flow_to_process->flow_extended.max_l4_payload_len[direction] = l4_payload_len; flow_to_process->flow_extended.min_l4_payload_len[direction] = l4_payload_len; jsonize_flow_event(reader_thread, &flow_to_process->flow_extended, FLOW_EVENT_NEW); @@ -4685,6 +4686,7 @@ static int nDPId_parse_options(int argc, char ** argv) "\t \tmultiple instances and should be unique.\n" "\t \tDefaults to your hostname.\n" "\t-A\tEnable flow analysis aka feature extraction. Requires more memory and cpu usage.\n" + "\t \tExperimental, do not rely on those values.\n" #ifdef ENABLE_ZLIB "\t-z\tEnable flow memory zLib compression.\n" #endif diff --git a/test/results/1kxun.pcap.out b/test/results/1kxun.pcap.out index 9bd047cfa..eceb75233 100644 --- a/test/results/1kxun.pcap.out +++ b/test/results/1kxun.pcap.out @@ -147,11 +147,11 @@ 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":197,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1470104379271401,"flow_dst_last_pkt_time":1470104373232452,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104379271401,"pkt":"AQBef\/\/6SNIkYzEACABFAAChOp0AAAERyODAqAUs7\/\/\/+si9B2wAjdLxTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":198,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1470104379271484,"flow_dst_last_pkt_time":1470104379169121,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":92,"pkt_l4_len":38,"thread_ts_usec":1470104379271484,"pkt":"MzMAAQAD\/PiuMpcsht1gAAAAACYRAf6AAAAAAAAA6Y+64hn3aw\/\/AgAAAAAAAAAAAAAAAQAD1mgU6wAmi+DsIAAAAAEAAAAAAAAM5bCP5L2b5bCI5qmfAAD\/AAE="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_src_last_pkt_time":1470104379271492,"flow_dst_last_pkt_time":1470104379169283,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"thread_ts_usec":1470104379271492,"pkt":"AQBeAAD8\/PiuMpcsCABFAAA6KxsAAAER6ZTAqANf4AAA\/NZoFOsAJg3d7CAAAAABAAAAAAAADOWwj+S9m+WwiOapnwAA\/wAB"} -01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":211,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379118171,"flow_src_last_pkt_time":1470104379286078,"flow_dst_last_pkt_time":1470104379304068,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":720,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379304068,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49601,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":11068.8,"flow_max":56171,"flow_stddev":20111.0,"c_to_s_min":22,"c_to_s_avg":16830.6,"c_to_s_max":56171,"c_to_s_stddev":24460.0,"s_to_c_min":27,"s_to_c_avg":8449.9,"s_to_c_max":52106,"s_to_c_stddev":17157.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":128.4,"c_to_s_max":414,"c_to_s_stddev":142.9,"s_to_c_min":60,"s_to_c_avg":1157.5,"s_to_c_max":1314,"s_to_c_stddev":397.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":250,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379118544,"flow_src_last_pkt_time":1470104379309514,"flow_dst_last_pkt_time":1470104379309350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":718,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309514,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49602,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":11942.2,"flow_max":66248,"flow_stddev":23775.6,"c_to_s_min":22,"c_to_s_avg":15945.2,"c_to_s_max":66248,"c_to_s_stddev":26102.0,"s_to_c_min":30,"s_to_c_avg":9540.3,"s_to_c_max":65392,"s_to_c_stddev":21915.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":115.8,"c_to_s_max":413,"c_to_s_stddev":133.0,"s_to_c_min":60,"s_to_c_avg":1141.8,"s_to_c_max":1314,"s_to_c_stddev":413.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":252,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379117273,"flow_src_last_pkt_time":1470104379305366,"flow_dst_last_pkt_time":1470104379309692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309692,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":13480.5,"flow_max":66840,"flow_stddev":23920.5,"c_to_s_min":23,"c_to_s_avg":19913.0,"c_to_s_max":66840,"c_to_s_stddev":26568.5,"s_to_c_min":40,"s_to_c_avg":9621.0,"s_to_c_max":65090,"s_to_c_stddev":21266.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":116.2,"c_to_s_max":415,"c_to_s_stddev":133.7,"s_to_c_min":60,"s_to_c_avg":1141.8,"s_to_c_max":1314,"s_to_c_stddev":413.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379119336,"flow_src_last_pkt_time":1470104379328801,"flow_dst_last_pkt_time":1470104379305020,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":369,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":1458,"flow_dst_tot_l4_payload_len":23877,"midstream":0,"thread_ts_usec":1470104379328801,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49604,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":12359.8,"flow_max":96474,"flow_stddev":26004.5,"c_to_s_min":26,"c_to_s_avg":20982.9,"c_to_s_max":96474,"c_to_s_stddev":32690.9,"s_to_c_min":44,"s_to_c_avg":8440.2,"s_to_c_max":72323,"s_to_c_stddev":21182.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.2,"c_to_s_max":423,"c_to_s_stddev":176.7,"s_to_c_min":60,"s_to_c_avg":1140.1,"s_to_c_max":1314,"s_to_c_stddev":398.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379117772,"flow_src_last_pkt_time":1470104379360886,"flow_dst_last_pkt_time":1470104379361184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":362,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379361184,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49600,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":15219.5,"flow_max":142000,"flow_stddev":31946.3,"c_to_s_min":23,"c_to_s_avg":24361.3,"c_to_s_max":142000,"c_to_s_stddev":43436.6,"s_to_c_min":31,"s_to_c_avg":11064.2,"s_to_c_max":85115,"s_to_c_stddev":23908.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":128.8,"c_to_s_max":416,"c_to_s_stddev":143.7,"s_to_c_min":60,"s_to_c_avg":1157.5,"s_to_c_max":1314,"s_to_c_stddev":397.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":211,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379118171,"flow_src_last_pkt_time":1470104379286078,"flow_dst_last_pkt_time":1470104379304068,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":720,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379304068,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49601,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":11413.0,"flow_max":56171,"flow_stddev":20339.8,"c_to_s_min":22,"c_to_s_avg":18656.3,"c_to_s_max":56171,"c_to_s_stddev":25128.4,"s_to_c_min":27,"s_to_c_avg":8449.9,"s_to_c_max":52106,"s_to_c_stddev":17157.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":128.4,"c_to_s_max":414,"c_to_s_stddev":142.9,"s_to_c_min":60,"s_to_c_avg":1157.5,"s_to_c_max":1314,"s_to_c_stddev":397.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":250,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379118544,"flow_src_last_pkt_time":1470104379309514,"flow_dst_last_pkt_time":1470104379309350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":718,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309514,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49602,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":12315.4,"flow_max":66248,"flow_stddev":24063.6,"c_to_s_min":22,"c_to_s_avg":17360.9,"c_to_s_max":66248,"c_to_s_stddev":26817.9,"s_to_c_min":30,"s_to_c_avg":9540.3,"s_to_c_max":65392,"s_to_c_stddev":21915.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":115.8,"c_to_s_max":413,"c_to_s_stddev":133.0,"s_to_c_min":60,"s_to_c_avg":1141.8,"s_to_c_max":1314,"s_to_c_stddev":413.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":252,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379117273,"flow_src_last_pkt_time":1470104379305366,"flow_dst_last_pkt_time":1470104379309692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309692,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":12274.6,"flow_max":66840,"flow_stddev":23326.2,"c_to_s_min":23,"c_to_s_avg":17099.4,"c_to_s_max":66840,"c_to_s_stddev":25981.9,"s_to_c_min":40,"s_to_c_avg":9621.0,"s_to_c_max":65090,"s_to_c_stddev":21266.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":116.2,"c_to_s_max":415,"c_to_s_stddev":133.7,"s_to_c_min":60,"s_to_c_avg":1141.8,"s_to_c_max":1314,"s_to_c_stddev":413.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379119336,"flow_src_last_pkt_time":1470104379328801,"flow_dst_last_pkt_time":1470104379305020,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":369,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":1458,"flow_dst_tot_l4_payload_len":23877,"midstream":0,"thread_ts_usec":1470104379328801,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49604,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":12746.7,"flow_max":96474,"flow_stddev":26329.7,"c_to_s_min":26,"c_to_s_avg":23273.9,"c_to_s_max":96474,"c_to_s_stddev":33689.1,"s_to_c_min":44,"s_to_c_avg":8440.2,"s_to_c_max":72323,"s_to_c_stddev":21182.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.2,"c_to_s_max":423,"c_to_s_stddev":176.7,"s_to_c_min":60,"s_to_c_avg":1140.1,"s_to_c_max":1314,"s_to_c_stddev":398.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379117772,"flow_src_last_pkt_time":1470104379360886,"flow_dst_last_pkt_time":1470104379361184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":362,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379361184,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49600,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":15694.4,"flow_max":142000,"flow_stddev":32346.1,"c_to_s_min":23,"c_to_s_avg":27012.7,"c_to_s_max":142000,"c_to_s_stddev":45011.9,"s_to_c_min":31,"s_to_c_avg":11064.2,"s_to_c_max":85115,"s_to_c_stddev":23908.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":128.8,"c_to_s_max":416,"c_to_s_stddev":143.7,"s_to_c_min":60,"s_to_c_avg":1157.5,"s_to_c_max":1314,"s_to_c_stddev":397.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104379579523,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":244,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":244,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":244,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379579523,"l3_proto":"ip4","src_ip":"192.168.5.67","dst_ip":"192.168.255.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00833{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":286,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":286,"pkt_l4_len":252,"thread_ts_usec":1470104379579523,"pkt":"\/\/\/\/\/\/\/\/jHNut5QdCABFAAEQAABAAEARs0nAqAVDwKj\/\/wCKAIoA\/P+KEQouQ8CoBUMAigDmAAAgRkRFQkVPRUtFSkNORU1FSkVHRUZFQ0VQRVBFTENOQUEAIEZIRVBGQ0VMRUhGQ0VQRkZGQUNBQ0FDQUNBQ0FDQUJPAP9TTUIlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQAATAAAAAAAAAAAAAAAAAAAAAAAAABMAFYAAwABAAEAAgBdAFxNQUlMU0xPVFxCUk9XU0UAD1DgkwQAU0FOSkktTElGRUJPT0stTAQJA5qEAA8BVapzYW5qaS1MSUZFQk9PSy1MSDUzMSBzZXJ2ZXIgKFNhbWJhLCBVYnVudHUpAA=="} 01022{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104379579523,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":244,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":244,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":244,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379579523,"l3_proto":"ip4","src_ip":"192.168.5.67","dst_ip":"192.168.255.255","src_port":138,"dst_port":138,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System","hostname":"sanji-lifebook-"}} @@ -167,7 +167,7 @@ 01009{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":404,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104379903616,"flow_src_last_pkt_time":1470104379941700,"flow_dst_last_pkt_time":1470104379940364,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":336,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379941700,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49605,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"jp.kankan.1kxun.mobi","http": {"url":"jp.kankan.1kxun.mobi\/api\/videos\/10410.json","code":0,"content_type":"","user_agent":""}}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_src_last_pkt_time":1470104379916943,"flow_dst_last_pkt_time":1470104379954670,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104379954670,"pkt":"ABxCjnAxTF4M6gNlCABFAAA0AABAADYGguxquSNuwKhzCABQwcaIrnkOwQ72oYASchC\/lAAAAgQFtAEBBAIBAwMH"} 01031{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":409,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104379956802,"flow_dst_last_pkt_time":1470104379954670,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379956802,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"jp.kankan.1kxun.mobi","http": {"url":"jp.kankan.1kxun.mobi\/api\/movies\/mp4script\/10410?definition=true","code":0,"content_type":"","user_agent":""}}} -01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":441,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104380141237,"flow_dst_last_pkt_time":1470104380142241,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":714,"flow_dst_tot_l4_payload_len":20160,"midstream":0,"thread_ts_usec":1470104380142241,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":14468.0,"flow_max":146838,"flow_stddev":32657.3,"c_to_s_min":26,"c_to_s_avg":16972.9,"c_to_s_max":146838,"c_to_s_stddev":38253.9,"s_to_c_min":56,"s_to_c_avg":12519.7,"s_to_c_max":109751,"s_to_c_stddev":27370.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":106.7,"c_to_s_max":411,"c_to_s_stddev":124.3,"s_to_c_min":60,"s_to_c_avg":1175.0,"s_to_c_max":1314,"s_to_c_stddev":393.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":441,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104380141237,"flow_dst_last_pkt_time":1470104380142241,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":714,"flow_dst_tot_l4_payload_len":20160,"midstream":0,"thread_ts_usec":1470104380142241,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":14506.6,"flow_max":146838,"flow_stddev":33179.1,"c_to_s_min":26,"c_to_s_avg":17257.7,"c_to_s_max":146838,"c_to_s_stddev":39683.6,"s_to_c_min":56,"s_to_c_avg":12519.7,"s_to_c_max":109751,"s_to_c_stddev":27370.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":106.7,"c_to_s_max":411,"c_to_s_stddev":124.3,"s_to_c_min":60,"s_to_c_avg":1175.0,"s_to_c_max":1314,"s_to_c_stddev":393.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":458,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104380188079,"flow_src_last_pkt_time":1470104380188079,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104380188079,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"218.244.135.170","src_port":49607,"dst_port":9099,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":458,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1470104380188079,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104380188079,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UhRAAIAGEmDAqHMI2vSHqsHHI4t8ty1+AAAAAIACIAAqAAAAAgQE7AEDAwgBAQQC"} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":459,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1470104380188122,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104380188122,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UhRAAIAGEmDAqHMI2vSHqsHHI4t8ty1+AAAAAIACIAAqAAAAAgQE7AEDAwgBAQQC"} @@ -224,7 +224,7 @@ 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":569,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382053678,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104382053678,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":569,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1470104382053678,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104382053678,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UjJAAIAGjM3AqHMIt4MwkMHNAFBSJ8A7AAAAAIACIABfkwAAAgQE7AEDAwgBAQQC"} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":570,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1470104382053709,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104382053709,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UjJAAIAGjM3AqHMIt4MwkMHNAFBSJ8A7AAAAAIACIABfkwAAAgQE7AEDAwgBAQQC"} -01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":571,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1470104380890420,"flow_src_last_pkt_time":1470104382084858,"flow_dst_last_pkt_time":1470104381881083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":445,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":3612,"flow_dst_tot_l4_payload_len":6271,"midstream":0,"thread_ts_usec":1470104382084858,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"42.120.51.152","src_port":49609,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":70018.7,"flow_max":398999,"flow_stddev":102692.6,"c_to_s_min":25,"c_to_s_avg":65786.1,"c_to_s_max":349653,"c_to_s_stddev":100252.7,"s_to_c_min":85,"s_to_c_avg":76204.8,"s_to_c_max":398999,"s_to_c_stddev":105853.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":245.4,"c_to_s_max":499,"c_to_s_stddev":193.1,"s_to_c_min":60,"s_to_c_avg":538.8,"s_to_c_max":1314,"s_to_c_stddev":555.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":571,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1470104380890420,"flow_src_last_pkt_time":1470104382084858,"flow_dst_last_pkt_time":1470104381881083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":445,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":3612,"flow_dst_tot_l4_payload_len":6271,"midstream":0,"thread_ts_usec":1470104382084858,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"42.120.51.152","src_port":49609,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":70487.1,"flow_max":398999,"flow_stddev":104302.2,"c_to_s_min":25,"c_to_s_avg":66357.7,"c_to_s_max":349653,"c_to_s_stddev":102969.7,"s_to_c_min":85,"s_to_c_avg":76204.8,"s_to_c_max":398999,"s_to_c_stddev":105853.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":245.4,"c_to_s_max":499,"c_to_s_stddev":193.1,"s_to_c_min":60,"s_to_c_avg":538.8,"s_to_c_max":1314,"s_to_c_stddev":555.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":573,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1470104382053709,"flow_dst_last_pkt_time":1470104382122949,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1470104382122949,"pkt":"ABxCjnAxTF4M6gNlCABFAAAsAABAADEGLgi3gzCQwKhzCABQwc0rYeLSUifAPGASOQhglAAAAgQFtAAA"} 01501{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":577,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382125031,"flow_dst_last_pkt_time":1470104382122949,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":503,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104382125031,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"183.131.48.144","http": {"url":"183.131.48.144\/vlive.qqvideo.tc.qq.com\/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE65694457E3F53549CD617D5C9F671A26C70DC68F93F1D7BCD017762F&guid=F5EB01CC01A8E08CD83630828DE17C2B02162FD8&locid=a06f98fd-fa26-44e5-acc5-0d83f9df03af&size=9418655&ocid=253564332","code":0,"content_type":"","user_agent":""}}} 01528{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":3,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382125065,"flow_dst_last_pkt_time":1470104382192288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":281,"midstream":0,"thread_ts_usec":1470104382192288,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media","hostname":"183.131.48.144","http": {"url":"183.131.48.144\/vlive.qqvideo.tc.qq.com\/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE65694457E3F53549CD617D5C9F671A26C70DC68F93F1D7BCD017762F&guid=F5EB01CC01A8E08CD83630828DE17C2B02162FD8&locid=a06f98fd-fa26-44e5-acc5-0d83f9df03af&size=9418655&ocid=253564332","code":206,"content_type":"video\/mp4","user_agent":""}}} @@ -252,7 +252,7 @@ 00897{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":608,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1470104383810371,"flow_dst_last_pkt_time":1470104383815221,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1470104383815221,"pkt":"ABxCjnAxTF4M6gNlCABFAAFIAAAAABARrEPAqHcBwKgFEABDAEQBNHbOAgEGABeXwMwAAAAAwKgFEMCoBRDAqHcBAAAAAGDFRwW8jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqHcBMwQAAAA8AQT\/\/wAAAwTAqHcBBhCoXwEBCAgICKhfwAEICAQE\/wAAAAAAAAAAAAAAAAAA"} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":612,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1470104384085549,"flow_dst_last_pkt_time":1470104378045830,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104384085549,"pkt":"AQBef\/\/6\/PiuMpcsCABFAAChLEMAAAER2QfAqANf7\/\/\/+uhMB2wAjbUvTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":618,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1470104384289461,"flow_dst_last_pkt_time":1470104381217586,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104384289461,"pkt":"AQBef\/\/6CJ4BzeuNCABFAAChFFAAAAER7zTAqAUl7\/\/\/+t\/tB2wAjbvITS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} -01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":622,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104384990940,"flow_dst_last_pkt_time":1470104384790982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":9497,"midstream":0,"thread_ts_usec":1470104384990940,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":177340.2,"flow_max":862765,"flow_stddev":250875.8,"c_to_s_min":26,"c_to_s_avg":146879.0,"c_to_s_max":862765,"c_to_s_stddev":257318.0,"s_to_c_min":190,"s_to_c_avg":228108.7,"s_to_c_max":665858,"s_to_c_stddev":230994.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":105.5,"c_to_s_max":557,"c_to_s_stddev":150.5,"s_to_c_min":60,"s_to_c_avg":846.4,"s_to_c_max":1078,"s_to_c_stddev":406.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":622,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104384990940,"flow_dst_last_pkt_time":1470104384790982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":9497,"midstream":0,"thread_ts_usec":1470104384990940,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":183050.5,"flow_max":862765,"flow_stddev":252834.9,"c_to_s_min":26,"c_to_s_avg":154592.7,"c_to_s_max":862765,"c_to_s_stddev":261739.2,"s_to_c_min":190,"s_to_c_avg":228108.7,"s_to_c_max":665858,"s_to_c_stddev":230994.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":105.5,"c_to_s_max":557,"c_to_s_stddev":150.5,"s_to_c_min":60,"s_to_c_avg":846.4,"s_to_c_max":1078,"s_to_c_stddev":406.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385211573,"flow_dst_last_pkt_time":1470104382241911,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104385211573,"pkt":"AQBef\/\/6uKxvwfbSCABFAAChJ0oAAAERfD7AqGUh7\/\/\/+ti9B2wAjWL8TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385211727,"flow_dst_last_pkt_time":1470104382242882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104385211727,"pkt":"AQBef\/\/6cPGh+Cr9CABFAAChfwAAAAERhKDAqAUJ7\/\/\/+ti8B2wAjcMVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":631,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385418800,"flow_dst_last_pkt_time":1470104382448863,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"thread_ts_usec":1470104385418800,"pkt":"AQBef\/\/66LH8q\/uyCABFAAClCewAAAQR9ojAqAUx7\/\/\/+sn4B2wAkYV1TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1hbjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} @@ -504,7 +504,7 @@ 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1273,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":117,"flow_packet_id":3,"flow_src_last_pkt_time":1470104423247712,"flow_dst_last_pkt_time":1470104423247634,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1470104423247712,"pkt":"ABAj4ACgYMVHBbyMCABFAAAoVNRAAEAG7E\/AqAUQwKhzS9F9AbtloPkmgtA7TFAQIACmCwAAUC8xLjEN"} 01151{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1274,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":117,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1470104423246688,"flow_src_last_pkt_time":1470104423248266,"flow_dst_last_pkt_time":1470104423247634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":213,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":213,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423248266,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"192.168.115.75","src_port":53629,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"192.168.115.75","tls": {"version":"TLSv1.2","ja3":"618ee2509ef52bf0b8216e1564eea909","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01303{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1276,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":117,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1470104423246688,"flow_src_last_pkt_time":1470104423248266,"flow_dst_last_pkt_time":1470104423251782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":213,"flow_dst_max_l4_payload_len":161,"flow_src_tot_l4_payload_len":213,"flow_dst_tot_l4_payload_len":161,"midstream":0,"thread_ts_usec":1470104423251782,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"192.168.115.75","src_port":53629,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"192.168.115.75","tls": {"version":"TLSv1.2","ja3":"618ee2509ef52bf0b8216e1564eea909","ja3s":"573a9f3f80037fb40d481e2054def5bb","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}}} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1299,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1470104379118972,"flow_src_last_pkt_time":1470104424311883,"flow_dst_last_pkt_time":1470104379310452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":723,"flow_dst_tot_l4_payload_len":22966,"midstream":0,"thread_ts_usec":1470104424311883,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49603,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":1418275.6,"flow_max":45001141,"flow_stddev":7827752.0,"c_to_s_min":19,"c_to_s_avg":4108485.5,"c_to_s_max":45001141,"c_to_s_stddev":12931422.0,"s_to_c_min":25,"s_to_c_avg":9118.1,"s_to_c_max":69006,"s_to_c_stddev":22118.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":121.9,"c_to_s_max":415,"c_to_s_stddev":138.2,"s_to_c_min":60,"s_to_c_avg":1148.5,"s_to_c_max":1314,"s_to_c_stddev":404.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1299,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1470104379118972,"flow_src_last_pkt_time":1470104424311883,"flow_dst_last_pkt_time":1470104379310452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":723,"flow_dst_tot_l4_payload_len":22966,"midstream":0,"thread_ts_usec":1470104424311883,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49603,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":1464012.6,"flow_max":45001141,"flow_stddev":7948794.0,"c_to_s_min":19,"c_to_s_avg":4519291.0,"c_to_s_max":45001141,"c_to_s_stddev":13493978.0,"s_to_c_min":25,"s_to_c_avg":9118.1,"s_to_c_max":69006,"s_to_c_stddev":22118.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":121.9,"c_to_s_max":415,"c_to_s_stddev":138.2,"s_to_c_min":60,"s_to_c_avg":1148.5,"s_to_c_max":1314,"s_to_c_stddev":404.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104424738880,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104424738880,"l3_proto":"ip4","src_ip":"192.168.0.104","dst_ip":"192.168.255.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_packet_id":1,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1470104424738880,"pkt":"\/\/\/\/\/\/\/\/AAwpjO\/4CABFAABOZ6MAAIARUUPAqABowKj\/\/wCJAIkAOgIy8PkBEAABAAAAAAAAIEZERURDT0VCRkNGQ0VCRU9FREVCRkNDT0VQRkNFSEFBAAAgAAE="} 00895{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104424738880,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104424738880,"l3_proto":"ip4","src_ip":"192.168.0.104","dst_ip":"192.168.255.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"sc.arrancar.org"}} @@ -770,9 +770,9 @@ 16052{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1490,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":144,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136216297,"flow_dst_last_pkt_time":1654385136563824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":11586,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":11586,"pkt_l4_len":11552,"thread_ts_usec":1654385136563824,"pkt":"nLbQ0+MztKXvZygQCABFAC00DihAADYGILqsaXlSwKgCfgBQtISflMKw6t\/AxoAQAOsWCQAAAQEICsmhz1fytRrc\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIASICJgMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APBdf1K+GvXii9uOLh+PNP8AePvX3sYx5VofGybuyCPU74H\/AI\/bj\/v6aJRT2Rm7k8epX4YOt9cAjuJWH9aSST2IblqrnQL4t8Q3MQik1KVRjBKHBP1NevVznGVKfJdLzSSb+f8AkeVSyfB0586Tfk22l8hyahfbc\/bJ8\/8AXQ815Liup6V3awj6le4P+mTc\/wDTQ1m4rsRKT7kYvbvJJuJTk5OXPJosuxnd9xJ9QvGGGupW9MuaaS7FXfcjS9u1O5bmUHvhyKvRju+4Nf3e7f8Aapd3rvOaq3kNXvuRPql6uVW7mAPo5qko9hq\/cZFqF3nAuZQD1Ac1XLHcevcuW+pXqji7mHsHNZuK7EO66k0Wo3I5+0SfUMaOVPoLXuSnUb0qV+1zFfTeanlXYSchh1G9Xpdygf8AXQ1SiuxevcaL++yMXU2Ov+sNXyrsUnLuPF\/fA\/8AH5Pg\/wC2apKPYbb7kqX98W\/4\/J\/+\/hoaVtiHJ9yaLUb3OPtc3\/fZqLLsCnJolTUb4HP2yb8XNJ27Cu72uNOo3p\/5epvpvNPlXYTb7jW1G+xj7XN\/32atJLoOM5EcmoXuP+Pub\/vs0JK+w3KSBb+9zzdzZP8A00NU0mtENSa6iS6nqCQMFu7gqSMgSdTnA6njk1nJxirsuHNOVkN8XeLPDuh303hfxGPGllIeZruy8lXkXpmLfkhDg4IwTXlSxlaS9yMV+Z6dHD04WlJ3OW0e88CpLqdx4X8Zawt5bwNNax+Jm8oz7efLSRCU3nnAbGegIzURrTi1KUfuO2ac9E9Dnpfid4iuNdW5XUWkd8Zi85xHNx93B5Vu1diqNO8UZyw6kmpM9K0vWLm+0u3voby4CTpu2MWDRnOCpz3ByK9SDjKKdjyatOdOTi2Wlvr3Oftc2R\/tmqtHsYtvuSJqF6SP9Lm\/7+GqUV2FzPuWX1S8ZNhuZCQoVW8wjaB6fWlyrqhcz7jF1G9Ax9qm\/wC+zTcI9ik33GtqF5zi7m\/77NHLHsHM+4qajegY+1Tf99mk4R7Am+5Il9et0upv++zScYroHNLuSw3F40yAXcpP++ayqpW2Nad77m7bpeKgMtzMB3+c1zx0exvJe7uUby7uopmQXUuB\/tmupJW2OZN9WZV5qd4krbbuY\/8AAzVWj2C8n1KjanqLHm7mx\/vms7JvYpXsXLS+vcZN1N\/32atRXYlt3LDX92RxdSn\/AIGazcoroaxi2tyE6heE8Xcv\/fZq4qL6EyUlpcVb+9Jx9qm\/77NaKMexnd9y1BdXxAP2qX\/vs0\/d7A3LuWYby9B5upv++zQ1HsS2+5bgvrr\/AJ+Zc\/7xqHGPYTbvuLLf3fa5l\/76oUIvoVGbRE2oXn\/P1L\/32aiyT2NubmW46O9vSf8Aj6l6\/wB41olHsYyuupYS8vNvNzJ\/31T5Y9iby7kiXd2f+XmXH+9TUV2DmfckS5u8D\/SJP++jVcsewc0u5PDcXhPNxL\/31Ryx7BzPuWkurkDP2iTp\/epcsewnJ9yveXt8WBW4kH\/AqiUE+hpTnpuWIr68EY3XEmR1+aqUI22M5N9Gb3hnVJwwJmY\/U1y1oLsQ3LudXLqQNod9wc46ZrjUHfYjn8zldWuZWnJjuH68YNd1NK1mieZ9yGDULmMAGd\/zq+VdgfM+pDf6vcqhCzuSfeqSj2KipPqZc13eFC32mT\/vqlzRvaxvytLcggv7sT7jdSf99U3FPoHM7bl\/7XczJn7RJx0+as3FdjJzlfcW1kuo0bNxJljnO40KMewnNt6sFurtWYedJj13Gm4prYG5PqfNuvpjXr0+tw\/\/AKEa44u8Ujvk9WVNvH+eavUVx8WemaZLNWwOFH0pEW1NNXwnT86TehLRGWB5qGjGSFJOKRKIXOckk4prcaWokRNPVajtYVgSuAafMUiIxZNXcq45IyDS5kQ2TKM8dKTY3qPjOOlVcT7Eqn5eTQGwx2yTVRBMVCevansO5MpGKBvYeHHGKaE2SKwGDmkJIfuwKhsHcN+WweM1SDW5Vu7+zt5khnuYo5ZPuIzgM3uBQ5JPUtU21dLQ3DowXw1Lqs+pW0biLzYbcHc7Jnl2AOQo9a0tFL3nYcYtuzMC51O0MkdrY3VtcySMTtilJQL\/AAyFyOh7DqB1rGVdWOhYW4XtzptnB9o8ToP7PjDF7AzBDezAZi+Yc7ATu468CuTESlOK5XZo3o0eVu5w3xEuNb8beKLnX4rK4uonjiggEbB3VEQIq8ck8E8CuGLUI2k9TtUErJLQ4fVbW5sLSeK8gmt5iMGOeMo4\/A1vBmsE3USMfTbhwwiLkfMCh9D600dlWOnMj6W+Hl9p2s\/BaCW3y2oWl2WuSVO5HIAYE994AOOxT3NexSanBOGi6+p4eJg3NtjkJK7ugPT3rVM89olVgEDZyW4HH507iHPxEsgOc8H2qr6BYYXzUbBYcppsbRPbxNKcKKd7bisXBazouTE231AqbooI3MUgfoVPek1cFKxpHWFMJyTnHTFZ+zVy\/a6GTcTvLKTuxmtUjN6laVC569e9Fhp20FhgUHLYNSopGi13JZchcLUOZap9RIQcHOeahq+ppdINnPrWkLoyqSuKg5B71sZbl22kAHUUrag2Th8nINVcgfHJgioYEpJPQU0FhyR7jjtTaHcmSLbzntQhEqDJxTsIngTPamrgW4oh1NMm5KF29KBX10FbpzSBtkTDL5zmnYEx2C3WkDZZs2khbKMVqZJMT1LyXEz43SEis+VIVrCGQ\/xdalpENdSKeT5TjmhCMy6c7utaI1inYIC0i7Sc1Lir3LcmkRXMRV8jNaRJTvuW9JPIyelROJLRrKqY9sVlYy6kFwi5+U1cSkz5u17H9u3mT\/y8P\/6Ea4Y7I9CW7KbYJxWiELGBuFNgzTscDHNIRb3\/ACYpWJaBWz3qGYzRIThaRCRDKw\/\/AFU0XEYrjNOw2iYfMakVkO209RXdxwxjNDuJthjvimtQQADPWtRu1hx9u9IQgGadwHLwQKECV3qSL97rVF7MUA5xQ2Jqw9GxnIPtSbGkZOq+JbSyuBD99jxw3+fzrmqV1Dpc6qWFlUVyVdWknsILm1NrGkj7Ge8kaMIecE4HQ46jis\/rXNokbrA23Zi3WlD+1I\/Ed3rNhcSQoS0MaiZGA\/gYfeUNkjNRz8zu9TqhTio8kUzm9f8AEus61rNubSya0W2QpAkf7sqhPILd1z3NTVrSeq0sa0qMYLletx6eFNSlu2t9Lmd4j5cpjWQfuiyhgDzyPTsenWsowbdzWUlFXZ02iWF6biWK\/kVLmxXHlXdqWIzxxz8vHPIx6Gt4t7MwlGO8Sfxdf2VzpkcWnx6ei25CLugH+tz2IwV9fWnNxasyYxaeoal4s1PUvh7b+ENWsodc0yG8MrXF0m6dG2AMkcxOQF7GsJUF8VPc0hPkle5454n0p9O117WC3uVAG9FmQhwvXkew7\/jRDmXx7noUqinC7Ou+D3iS903U3tre4dFuwGVf4RIPun29Poa78PWcW4rqcVakkz1P7XHewJcwRmNX5K5zt55H4V1Xb1PHcFGTRNA4CYZWI7c9BWsGYztc0dKs5ruK5WNSRHbtN\/3yR\/jWnMRsVzDIDhlII7EVDaLsKoK0lJXHytGvoBQsA2KmUmC0OnKqLQgAAGsepfKtzm9YVVlOMc10x2MpKxQFVYgXGKClsAHGc0CuOQHNDGpWHhdwArJw1N1VVrF7SdOlvpxHHx6mnpFakNuWxY1jQp7GPzd29e59KcJKWgmnbUyse9XcaBTg\/wD1qdxNXJoye1K6J5W9ixH0yapK4rWLCN05p2E7liI7TihoSJhycc4pWsG5NCBuweaVykrlyCLIBAo5hOBOCEGCKOdE8gyeULGWU0N6CSaZDHLvYc1KZq46EyLurRGNifARQSM5ouA25kAgLDqO1TcpIZp15vk2HipYpx0LrnJz2rNswGOvynJ61N7AZ9yOTWq1Nosn00ChhPckvkXYT3oiyYmYL4xSbQKJs6IQvozVsb3zY8luahPsZ1KVth8s4A65q1oZKPY+bddkLa7fdcfaX\/8AQjXEvhR6Ul7zKu89xTWpNiWJuR6UyWaNiDtBNBHUtE4HWpbJkwjOOlQ2QPMnGMc0lZgV5HJOaYDEJLdTzTSuxliIsOM07CJ1cYwDRa7Cwu7Ham0iGhAwNJ6B0F7YzVJ3DQdnkE07jsLmmTYkUZx3xS2LumO5HWncYm7Bqb3AzPFurJpOlNOdpkf5I1J4JxyT7AVjUnyxub0KXtJ26Hj+qazdXN8WikJ+bexPO8\/4egrlULq7PoYU0oJMbJ4l1Nh5c0iTpnI8wcj6UnTRaoxsWtButT1PW7O1hdA8zkooGGAAJLZHsD+VZqKvaL1H7NRVzudQ+K95L4YudCax01FsxshuBaoJpFZhlC2MkZJatvaPlVkczw95ud9zndM8WLZ6hHJDEscEyBfLQldgHVfoTnj3qYtJsHCTXoP1vxbqWoX0cTXs7xQ8W8jv+8QHjBI646flUzvvcmKS1sWGuo5dIUER3lzGAxHn8n\/ZZSM8Um31Nbdth\/hzW7+DUojfQEgKRDbltgbdx8yjsMnGOvrWlGeur0RjiI6aLU9sk8JeCvHJae\/1KSye6jgs\/tBIIZjJsCgcZyGHTso7V6U4wm+bueSsRXw60W12eIeOPCF74A8X2cGpIIo7iMz2bK2d0QkKgn\/axjjtXG6TpTsezCtGvT54nceB7gXGjN+8z5crDbjAUHkY9Qa76ElKJ5OLTVQ3oQXQDd0O0D1raUuVHPCPM7Hb+DLe3MAwwGVw3r9K4J4lt2PQWF03F8VwWucqFDAckVtGblE55RSZyjqO1CuOSVgjYo+VJBHQg11Rjc5GtTUi1O48oL5mR2zUuCHzFS7mMkhLHNXFEPVjbSMzzrGONxApykkilFvQ6eXQ1W0wEGAvWudVrs0dK25zMqeXMU9DXQZND1XjkUCLtjEpjLHmpbKUbl\/T7wabOJQuQfvYpSjzIpPlLev69bXViYYQctwSazhTlF6lXTOZB9K1QrACD9ampPlVzWnDmkkS22TzXlurUlM9T2MIRLSgivWo8zjqeRWtzWRLCCTgDNa7GJct4z+PvTuSW4oiRSC5Yiix2rJmsWW4dqjmlZsJNDbpd68ZNFmgUkQrCzAgg4qkiL6iRWu2XJ49KaC5chQYqrmexBq0wjj4PI96iTsrlRiVtPkMwIbpUqV9Qk7E0UBjlL56UyeYsxzc7TWckyZMsoheM8Vm2YXsUryIqT79a1g9DSIWbrHy3Aq5I1ab0KmrXyq3yuCaSHCDuZkjmY7s4NaWTRuvdLdlJ5KgZye+alQtsZVJuZIbgsTzTtYxSaPCvEKga7e\/9fD\/APoRrzou0Ud8nqyntzVXFcliXmhEtmjZjCjOKGyWSyHnHFQyADDHXpUvUQN0zkVSVkJEbAE0g0uNUYPHGa0TViiYMQeo4piF3c9aOgChj0pCdh6k+tK4bD19M0bCuhwJzVJhcdGxxTGT25Xcc0O4JaiynJ5PSgl3ItwHHSlZlI8x+L2pPceKFsmkIgsogpUHqzcn+n5Vy1XeVme3gadqN+rONlG0FiOoyai7R6C1djZ+GXhC88X649rAwjhhQyTSMOAOyj3NcmLxMaEFJ6tnZTpOo7I9i8OfCa20fTmvZ5ZHu4o3MBQ4MIx0z34z+deLPMakpXjodccHFK8tWeaa7oFq3iS4ijXahBk2kcjCkgfj\/SvSo15OmmzhqU\/eaRzV5EV+6oOXyT\/P+VdUXdnCprYJc+Z58YK4A4A\/A\/0q7aBF6WCa6EzGC4RVKjCODjbTt1GotLmiylDeXtlcbllbcp\/jOavlTOhxjNXPRPhr8RbqyjjtLvTbO+Fm7T2ayBgBcNhRITnkKM8euK2hVlHQ4MRg4yu72ub3jCQ+MvhjqHn3EN34g0S4\/tMyf8tJYWZllRfVQNjkdtppuSqxd90KjT9lUVtnp93UX4RNHceHzOhXex2mMHOQDx+I5+oIrowrTVzlx8bWOrEu1hxtGcke9dU43Vjzoy5ZXNG01OWH5onKnHauJ4aVz0Vi4co261C5uPvuTXZCCijhqTcmRox6+n6U+VXuLmbQ9WI60+ZXsKUWP3HGKtEMGz1qriJrCXypw\/8Ad6VjUTaNqbSZ0ba239nGEvjIx71yxjaVzqnZxMOVw7lietdaZxz0FH3cCmQSwz+Scdc0rXNE7Ed3dlzjsDzVJENpkSHPemxpj1XJz3pJBccFOfrSlFNWZpCViaLC89h2qI4eKdzWdebViyrbhkV0JWOR6lywizg1Mi0jSjiym4AZFCZMkTwL04+tVozIs7F29MGpaHcQA9DVJWQpMlt+T0qZCWxOI1IzipuJtkUygjOOKZSYiqQhODikEtzn\/EczK2OeeKyqvSxvTimix4d\/1AOeaKSsiKyNQEHr1rTU5+oiqBJmpewMuwvhKycTPl1Kt+wwSeOK0gaRVjLupf3TbTyK1ZrHc43VtQnXUPLIIGeua5ZNqR1wScbmpYzt9nLE5rqj3RjLcguNTkibnGKyq1eU1hRU9iCLVmlY4Oce9c7xdzZ4PlWp5j4glX\/hIL0Z6XMn\/oRrJL3UZyWrIEbPOaZDRLFgnNUiWXYW+QdqkkJHI79aSEEbj1oaJH+ZxikIb5nJpglYA5IzRsMdnjPrVJjHp0ptoTHihMVhy+tQwJUPy\/8A1qZLihcc4oHYFyGo1GSLkVoK44HOc0EtjQNzc0ylueV\/FOwVPEGoXyvlXlRCCP49oLfhjFefUuptI+gwUn7OKZylwfvMTkZA\/DFCO2C6H0z+y54UWw8DwXsifvtRP2l8jnB+6Py\/nXzeOqe0rPy0PbwkOWnfuevNpEc1rJGQFEiFSfTIxXGkkzaT0PmH4jWLaVqj6gqtstLlrW7Q9VU8Bj+ORXq4WTl7p5leNvePN523KY8g7X7elepBdTzJJXuMtZFTcrcqRkVrYzmm1oMu4on3PjbkcUloVTk1oVchYwsgR1zgHIJWnc6bdVudX4DuNCsxdR6u7QwXUB8t1j5LAjgSAHGcdgepohe7dznmpyLi+IoINaZrIpHEI3WJY4gkZh27cMMZOckZJycgmq9o4vmQ+VW0Nz9nl7V31LTpXlUAMFABJQg8OB34BB\/CurB25rnLjotw5juLqNkYEkE5KHHqP8RzXopaHiiQnjGfpSYXsToRnjrTS0Al52cEVLLgNBOalI0bVhySqp5onUsZxg5MvW08LpggVmqrZo6dkNnRUOV6E9K3WqM1poNyT0NZs2THxjoTVRM52ZKWIOauxlYZvJPNOyC4igk5xQIkQc5NFimSpnOaYrkg9vxpWKXkPSMsen5VaVhtdy5bQnPTjNUQX7ZfLHPFRJXGnqW45l2beMmoW45xdixAc4q0rGDvsTg8UwSHIvPNFwZMqhASKi+oWJASVyTSFYgeQBgD0HWm1oNeZ2XhJLC7sfLlWLAGDkDNeZXlUjLQ0VmzlPiJo1pDcGS26dxW1GUpq0h6x2Ocs828eBXZaxLRo2soZMueTSvqS4CySBW60ENCi7CjlqXLcXKVL68DDg1UYlqJSEgYEbsD+dW9DRIyNVsopJd4x1qHG5afKhsa+VBiqitbEGbq1v5wzuIFY16KkrnRQrODKmm6aSWwzdPWvNWHaPQeMTR59r+Rr97n\/n5f\/wBCNbQacUckt2Rp90UGbLEHYCqtpczkXYfuCpZOrQ2c470kJkYLYzQ2LyHCTI9KQrMRTknnpVDsSJwvvQSx4JzmncvoKH7elTZkpXHq+fWhJ3CxIjH0p2FYlQ4xSAkB5oJHA5OapDQvOQe1WvMloXOD6UAkLu75oY0cb8S9KebQpgg3SPOboZ74AGP5Vy1IHqYKu+dX22PN9E0+61fWLfS7OJ5Li7mEUar1568eg5rnqVI04OT2PehBykkj7o8E6ZFpuhWlsoUJDCsYOcDgY\/pXyjd3c9uPuqw\/xP4p8MaPEYr3xBZRT9oUfzJM\/wC6uauNKb2REpxWjZ4B8UtX0q91ye8jSWWz1CMwagmwjcvaVc9wcGuyjTmtOvQ5qjizya\/sTaXbBGWSOQYV16HHcfUV60Kl1qeVUg0Z7IyuQOua6E+qMr9yS1eF5jHc\/KOxxytD0V0HLbUq3UJhcERg4zyf4h9O1Lc2hUUtLmlollLe6otnC0tyGIeIQJu5PHI\/h9x7VMXdXaHJNaoj1xWGuzRJwEwqlGHzAt1wOmcdO1PYmyjG50PwevDb+OHhWWSJzMxRhjPHbmtaLcJxkY143pfI9hmkWWV4fI2yEYVd2OR2+oOce3FevdHg1Iq5XUgDPT60Ix1Hq2eQKu40SK5Ax\/OpC7HoN2B61Wlik7lkWi7c4JPrXJVi29DqpWRHHG6Pt6ClCmwqSLMoxHxzjrXSrI5+pHuyPSm0hczQ5ZD0NFkJybJkO7oDSuJ6oVwMjiqQAAD9KBjxmncRJEpJxjrTQizFFj61VhpluNBxgdqLFXLVv8vFNiZITxQ2rCW5Wd3ST8eK5al09DsppOJqWEm5BnrW0XdHJUiosuqe5qzMmhAYgZwahysJnQWfhxryy3wykPjPPQ1zTxKi7NAjB1OG4sLgxTLyD1reM1JXQ73M+SbOfWrvcOUZDdzQSCSKVkPsetS0nowsPv8AUbi6AEsmRUxhGOxS8ynJkjireohsUjRn5uRStYegPcljnPeqWwmQyTnoec0nZMSRWnkJ6n8qoZCk2G60mNaCTuCuMjNSht3K7gkZ7DtTW5Jk6pd+TOEzgHis6skkaxWh0Hh+GOS3yO4ySaqLVtjOUmmeN6+h\/t+9GMAXEn\/oRrzYv3Udcnqyuoxgcir5iSzbc+1V0Ia1L8ZHl4xUBaxFOeMCi5m3roMXlakl7jcEdRTWpV0KnXOKbESIDnOKOgiTb8vFK4gK8DnmmmNOwq8H3q0Nk0Z4osSSqc8dxSYhQe1P1GKrY6dKVgHqxzxRFiHAgirAUcfSh6gZXixGnhjj5OQVOOdq9f6VnJdjpw7szg\/hrpE9x44W3g1L7DK5lWC6PGHUbsZ7ZGa8fFz5KV2rn0mH\/eyUU7H0loLaxq\/gKbw\/qExe7gi2vNEfvrnhga+f5lzXR7sYtxtLc4mbQ9C8Ob9Q8RXDx28LZkfksT7d63VWpJ2iS6UYq8jePiT4eXcMSxRq0DNsjlntiFdu4VumRScK8XzMVN0p6IbrPw18NeKrAnTYktJHGVeJMAN9BWtPEziZ1MPB6NHlPjb4c634eui91ZtIqcbkHDjsR71308XG1m7HFUwll7p51r9r5N8Qm5SOSD2rvhO8Tli+VuLHaUl7NdxW6w\/aXlcKkYGSxPam5KK5noQqcZytDc9o8E+EILbT5dsl6wAIvZNKaON7cjA4LDLlcngYzz9a855lKL20\/E9allUajSlL3vwPMPFnh+fQPHNzps0kc4t2EkVwows8RUMknPTKkcdjkdq9CEozipRejPMxlOeHnKjPdaGd4Tna28XwTxyhiZgcj1J+7z+VaKWlrA17qR73qXmtcebJIHYhfmz8x+UYP9Pwr1IpHztZe+0QAsSS5JJ7+tbHOlcliyTihsryJxE+OhwOtGhLTJY4ZdoZUbH0qJztoawimrk8M0u4Rgcms1I2Whfj0m6mj8wct1xWikupE02UpzJG5jkUqy9Qab0M46kXbNJMUktx0Skt64rQSsXbfaBUsbGy7d2RVIliIDx6U7AaNnZF1yR1oRSQ9rbyX5HXpVomRKigU7giRTigqw4HAzzTEvMehLf\/AF6TC6RMsQdeahq5SnYabpLaUKTih+6VyOZp206ywqy9\/SmtTBpp2H+cFPHFJoRtaF4rkslEMgDJ6jqK5a2HUtUCRX8Vakt8C8RHzVzKUoaHTSpJkOhQI0eXUHimqkmaThGOhj+N2EMRkQY2jPFaupKMbodGjGcrHP6PrAmYJJ1pUcUpO0jbEYFxV0basGXI\/Ou255jTWjI5uRgUwK5+U460kwuQysO2cUBoQSk49aSYEDPx0qmh2I5WbYSDS2BEMEjFgpasnPUtx0KniSxaYLIv51lWi2rmlJrVHQeFhtsQpPIUVpTl7tjGtFcx5D4hXOv3uP8An4f\/ANCNeetIo6JPVlIrzTTFcmt+PpVIXUtqcriqT0B6CSHPepM00wQYXJpMhsd3BxSvcQ5E55p3C5LEg9KVwJGHbtTQEbnnHSqSHbQjdgGGOtOKYldiq57GrBE0bZ70hkmaLAAP\/wBekJjozz0puIEqjBBppCFYjpjg0JWYyKdBIvP4mna5UXY4\/wAVaHDAlpbQK0j3upLj2DHBX361w4qKhTbPWwNV1KqTPov4FeCpPCWkXMYuZbhnzErSsWIUnOOewwAPpXyOIrOrO6R9lRpKnG1zU8aeA9O8U2yLeRsDbzCVdpwCwzjI7gZ6VMJuOpcrPRkXhn4Yabp2iwafbQQLa2js8UIUnDMck8+p9Kudec3qyIxjHRI6GDTYrMFVjVcDHFZKQPYyvF09o2jzWtzEkocYIYZra9tibM+UfjzpUdlrkU9vxHKuCMdCDXrZfUvFxZ5uNglNSLPwc0xoYv7bmhkBcmG2kC5CccyEenQfnU46td8i+ZeBw+vtGemeB9VvTZa3puqWcMOoxRh5JY1ws3zLhsf7Qx0rzZpJp3Pdw61VzzP453kE3xAkgRSGsLKG1lH+0AWI\/DcB+Fe1gIuOHimfPZ9WVbGycTzaxl8u+VxwVkzn05rstc55Xsmj33TrqW9toLuRcboVEjKcjfjr+IGfzr0sPJygmz57GaVXYtoSe9dZyFqzwZlFSxxWp0OnQpvXeBg9aybdjpjG+5pXsEQQ+WBjHSufnbN+RW0OdnkSO83Jg4PatYvuZSTudVouo2j2IbeA2ORnmqs0RzGF4hdJp94xnPUVqtdDJ7mYOOKtR6kyZPEMYIpshMtQAM4BqJOxoo3LwjiaMqEHNZqbuaOCsVfLw5HpXQtTE19PlRYBu6iqtYpPQS9njcgAikpITuQhuOKfMSOTJOabY4k8cRIxSUimi1HBhaLiaHDg49KolIxfFUchj8yMnIrmxCbWh3YWSvZkvhfUM24ic\/MPWsKde2jKxGH6o13kLDIrqVRNXOHkd7ELSqHAwQR0NY+21sbexfLce9yCvT8c1p7JS1M+dx0JoNSmSHZCQKl0oxFzOTKWqzT3g2TYx3x3pKMbGsZSjqZTaUEcPGPfArGWFV+ZHTHGu3KzZ0uF3QJwK6YK0bHDWak7ol1C1khTcrBh3I7VomZLzMyVvfNJjZAXBOCaVwsQTPjgcVSWgEOd3ehuw7j\/ACflznioUrja0H2tlGW3tmm0HM9ieaBGwh59KLJoV2i9pdp5aEhhjFQojabPGNfH\/E+vP+vh\/wD0I15q2RtL4mVwnA4pq1yLj41HXHSqRSXUnHApjepHnJpMylZMen3uazbJHxnmrUbBYkBxTCw8MMf55ppBYUnIzRYCEknmrtoIbtJ6jrTS7FJaAAQeehp3sIkQ9h1obQMlXmkIeuc8GgBy4HSi+ghwcA804odhQ4564pgGQVoegbDLKx+3+INLjEZkkS\/heNfVg4rlxqUsPNt9GduXzaxMLdWj6RuWn05QkKFiDk47k9a+JiforiaPhS+iujKpTYw4ZXHIpuzMWmjSuvLtY2foD2qSkjlNd1IIWIOKSWo2tDzjxXqctzOVXIXtWyMjzXxz4Zl8Q6pbK8gSGIEyHufYfX1rqo1\/ZJ23OapRVRq52fhLQpLiwW1sbOHyYE2FZNyjphSCBzj0rFz1be530aV1ZGb4\/u7XwD4XaTUZBLqMmFhjZv3k5BygI7IDySeTgCtMPSdaoktup0Vq9PCU3J6yex4Fq15PczS3l1N5txdu000h6sxOSa+kSPi7upUcmZEPUsoGaUUdUux7b4FuHufCmlyBVx5LpuUD5sN0J7kZ7124VWjZHh5hbnXc3UY9+9dyPPs7E9s2181Mn0KijTj1AxoFJye1ZNXN07DZdTuXXYJCF9PWpcEV7ToVFZixPc0WZd42J4mZV+ViPpW0V3OWTvsTCTeOTn61S0Yk0IeuatEyHxE4wOtDIsSqzjkmokuxrBsuwTt5ePXuKiEbO5cpXQoNbpmY8uQpKk9KGhR3H6FCtxdF5ydoOAB3rz5VGpHpqipQNu60pPJ8y3BHrzXXCpdanmzhaTKpgaH7wq07gtCxbkDmmVcndgqhs0DtcpyXAMmKSqK9rhKi7XRHc7Zoip5BFaSV0RB8rujHs7ZoNRXaTtLYrzqlBp3PSjiIuNmd7a2ts2nhdi5K9e9OKkjjlJXOc1JGS4KqRgGtfYpvmBVtLFaVmW3POTXQtEYv3nqV9NvCbgIe5xmsZyu7GkUlqbUyKEBohe4psiJxWyMSa1nSN\/QGhiZLqc6C2PzZyOKLjMCYnFIFYqyuc\/TpU6l6MZ5uTiqj5ksRfvcmmSWEYlMcUWGyxA+3tVNXQkOJLNnGBStoO5e0+VdhBYDjvSYPY8V8Qf8AIevT\/wBPD\/8AoRrx4bK5vL4mV4m+XBp9SGtSeEjArRMtbCykjoaYMj3c4xSM7DgxBFJJXJJFYA5pgkOLk0WDUfGxbr9Kqwh+PyqlYGhwWqWwAU54pXAQp0obEAUg+lTJAOX2NUtEA4H5qAAn0oAQHnnrTGhVbjtmhXBioQCKq4E1pcy2d9DeQOVlgcSRsOoI6VlUgqkHCWzNKNWVKoqkd1qejXNl4y8S3um6lpniX+z4pYll+VAQxIyVdSDnoehFfFVaapVJQa2Z+jUK7q04VO6ueh+DdPv7W7lvNTvoJZGjCIkKkDPckmsWrmk3c2NYnZ4NueCKz2Gjh\/EZ4YA1ohNnGanF85bvVoyZkSkLcMcZrSKTM5aPQhsLvxxYO0Fp4jS303cWjCwK0qA\/wgkUSUHqlqaRq1IR0Z5H8bL6S58VQQSTPcSJDvd5HyxJJ5Jr18BC1Ns8fGTlOd5M4+6IjtWJILOMDvivRTOKnrNW2KcPyscdSMU0dEtT174KXbP4SuLXKlVmEgB\/gOOq+h6g+orowzs5I8fHRd0dYx5I5ruW1zzh6bvWhWBXHhsn60Iq4+M88H61VtNQbHrjrjFPlIbHqce2PfrUt2HFNkqEMwxTi00Nxa3L1tbNMMgDA65qibMdJbNA3OCPUU9xWsKuD2oaGmSRj0osPmFG4nnmkIkGccVfQWxPo1yLe5IkHyMfyriqUrs76dd8p6X4N0catpzTE4jbpnvXPUq8jSMVFydzD8eWK6ddLDXXhpuSuZT3MKJxmupsEhZZMpjtSsGzKMxYP14rjlTakdsaicR0UhK46V2Qelmcc0lLQduXeDxmqdiGXo9UuFhMYIHHWo5Y7k6lRpHZiWOSfWqdguQ3LfwE8VL2GnqQ2duBLuxWbhdmnNY0jKdgBPStIpIzk2RtL2x+NPci4zzBnqaQ7Ebygt97n0pAQyjPfrQCK9whA5o0KbaIAvc0ybj0B9aYE8QOM+tJuw0rkiA+tJSK5GS5wtVdE8rG21zGxYZ6Vm5K4JNHkfiPjXrzn\/l4f\/0I15S+E3e7KkZqk77iaLED4696uwth0xOOe9MGRK2DQLccrcikybDi5qlqOw5WNOwpMngPNBBYUgjrikwHZAPTmqjqCJI\/mxQwZJ5ec1LYhkgFNBcjcfhTQEbcDimtxgDn1qgQqnnGaQ\/MUY3YzTWwkia3i3nms5SS1No0+YfNAyDdg4oUrkyhys6HSPFPiPTdIsLfSYRMULLkoCFIOQCT7GvnMxoxWJb7n3PDzVbDKDV7aHS6B488azTRxXXhaGcM2GltbgLsH+1nj8q8+VOKW57VfD+zWrO\/e\/Z7RWcFTjkHtXI0cuxzmrzCR2weCaqIHL6\/KsaEAjca0Rk2c6JTJchVGcn1qr2IZa1VxFpxweT2pxd2LoeM\/GXT5ItZj1EoxR4gHcDIXHavZwFRWcTzcVB8111OBu5mlYDoqjAFejYinBRQ60xvBJzzQTU2PTvgm2GvI8Z3IGz29vx61rQXvHmYqKcL9Tu0+Yj3rtTPLcS5EuAKq+gJ2RFKpWU+nWqjrqZPRixtiqHcs20YkyW6VSdhpXH3cIWPcnT0rKeuxvCJBCzCTioTaZrNRaOg0aVDAEPBFbxd0YJW0Jb91K7epzVxMpWuVQPegWg+P3pi3JBzQkkDuSomRzTYAYsc9qnlGpNHb+C\/F8OlaesE5I29MVyVsM5u6NITMbxdrTazqZnK7UHCitaUPZxsOxmCUDvWgJiGQ5xTBsZIwYc0CuRb8cdqcU0yJXHx7nb5eaqT0BK7NLTrPzj8\/FcU66izpjQbVy8dLRE3bsitFWuYShZmXqduI3HPB6VqtSGQxMqjApsGxssrFuKiU0txqLaGq24ZJqk0S42I7yby4j9KTloEdWZdvfM9xt75rGE7uzNJw6mkjjgscVqzOO4bvOfYilqyU\/eNpwbWg+WwnRMlfwrXnRkoPqRwRYyGGD700wbJoEwenFN6"} 18078{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1491,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136207603,"flow_dst_last_pkt_time":1654385136563848,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":13026,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":13026,"pkt_l4_len":12992,"thread_ts_usec":1654385136563848,"pkt":"nLbQ0+MztKXvZygQCABFADLUFpdAADcGEausaXlSwKgCfgBQtFrv1dsDOBd56YAQAOsbqQAAAQEICsmhz1jytRrT\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIAQQCgAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APFrvW9ct9Tm86+1OLEjbROnmL19eDXiyaex9drt+hZg8S6jtDPf28vH3WZkP68VFimkxLvVLa+iKalocl4uPvQuJP0zWsedbSsROnTkrSjcqQweF\/JBtr\/U9KKnIQtIgXPXg8AVXtK32tRQoUEvd0KMngKLU3FzpHi4ylzvBaXdvP5itFjJR0lExngYz1jIz9T+Hnju2uVuYJPtaoxOVuGUj8Dnj8atY6m1Z6GTwVaOqszj9Y8OePdOumZ9Pv2DHL+XLuDj8DXXTxNCS+I86thcSpX5DM1W71m1n8sJfwoAMPIHBzjn\/CuiPLNbnPKM4vWLG6Zqd1bzhpbm4dSPvCXO39aJR0sioO25evfEeoaXew3Vpq13BdLEhiltrh1ZCOQ\/B4PNZqHMgqSSMpvE\/iO8vjPqfiLUrlywbfc3TyZYDAJ3E54JH4mtXtaxhFtO7LMmp6g0Dpc30oSaPDMzHKt7c8dqytrdG91az6lPwxcXU+qIJrq6kij+Z1E5XcPr26VtVd4mVKClLU9A1LWrm28JW0T6hfeZcRmWCVZcqmXyNzZznH16153I3JtdD1oVFCCv1Oa\/4SjV18QTQR65PFatO0rAsWQgjGSB6jrWypXpptamNWtaq1G1i34k8ZapPZW13LqH2qS1l3GKTI4IAzjPsvPtjtTpYe0mkZzrppMd4Y8YeINS1KPIe4dd0kkvmNlcHKnGcYB\/SipSUIvUdKu5taGjrHxD1nSdSW\/aW6Pnb2RkOFDldpU57Y\/KsYUFLqa1MT7K2hFo3xJubrybd5r0pC\/mlBJwjFQrYJPOcd+30pyw2tyY45SVrC2vjSadpLA3UkD790aNK2D\/ALQGcE7amVBpcxvQxb+DY67QdSn\/ALGEaXbyJy3EpYsc54PrXNKmuZu52KbcU2ibXfFDabLFLFqUkUs8g8qIOd5wnO0Z68d+5qFRlO9jSeJjTSUkRy+P7u90uQ3eoyJ9jmX52kxI27hcAdcetVHDyXU5pV6c9Weg\/Az4hXPiLwV4g8LQzxtDo8P2kygMJC8jqmOeMfKcY7k1jiKE4Wcup00K1Kd4w6GJ4+8W\/YvE1rpU0qCSGNLj5pD5jIU2kBemO\/vU04Sav0Km4J8repL8SPiTf6sv2LTbiXQrjekh2Op+XacgAjGW6\/hWsU9mrowcoXunZmAfE2mQyaZJbeL\/ABRfSzKTetOiKQxU7FRFB6HBycZFaKP92xlKeukrm1c6\/wCFb\/wdFPFrGtL4oO1ZIZAgtmwRnkck9Tx0NRVTOihOz6GG0tx9lvYzcToPNQSIZjk4Xj6A8U4zdkKpCLkzqtJ8a2yeDptJ1H7e04uDMkEYO7HlIm4v7kHiudRkqnMapR5OVkkXjCyW80eWC8ns2tdUFy\/kMzsIwVyQcc9CfrWrTsyIQhdXsXfjJ440fxK+grYa1NOLGEpctKWUl\/MJO7jGSMfSpw6nTurbmuKUKrTViLxR4i0zUdas7ufUZpIrfTTGDH86ofLKhSW75x+dQnKO3UUYwsJo+qaDY\/s6+HtLvbqxOp28sjXllMrLc7NzfPI\/oQRgeh9q3lVlKd0cvsoQVmro4D4beJXi8cfY7tp7eCPTrj7O9wfvuZg\/K+oGAD7VrUi+TmXdG2FrwT9k1Zcr+9s9P8G+IdPk0fWrO91q3hW4aN4yyuxnZCc7MDC8ECuedSV0RGCZY0DxHp8Hjm+1OW6+zqxh8qaRSyygMm9SoBOAAaicm5GsYw9na2pz\/wAe9UbXn8bQaJPO41Fl\/sv5iiuAyliM42YAPWuqnNKUW3scdahzU2o7nk3hu11SLVo764vCv2XmNxOW35GCCOmBnr\/hW0qvuNLqKOG\/eKb6Hd2msXcfhOWL7S6tuk3FnOPvdc\/iK86pBudz0oTjGFjS+G\/jF9Au7w6i109lepsmEMmDlQcDJOCpBOa0lJySOe0U2dus82ofs\/Lf2F5II3huFiZTzgMwxkflUSk+a7CEUo2R5XpnijT7nT5SNTnD3cKK2L8KYyqDIIHB6dOK3\/eJ7EOdK17leTxhoy6MlpLqizRyzh4zJcsQzbAu3APXjqaXJVcthPEUVCzaJbv4iaTBZNF\/acBt0iChIwzqRyfToMnn2NaQw9R77kyxdJaK1ipp3jiXxBcM0WtRzSwNhkUmPCHByo4GM56VnUoulurF0sTGsrRa0MbXNbESMbm8mdMjBBPJzyMdvargrtEydlqUIfGpsvJsLaW+kRCJfs6vld2MKWYdWHrjpXSqLmrnLVrRi+Vlf\/hafiHRdYuporzVbS7u4mguyuE86JuSuD0BIH5VawblHe6MXjYRlqncrW\/jC9i01IrSea1XBcBnALM2c5Oc++CaJU5N2bBVqaWi0K0HxC1ZrqKEXs8O2VmZjHuILAK2eSSCB0\/Kh0JW3BYyne1hL3xNqEMRnt9QvVmUBgzEkNHgjGS2cYJ4pqk3uR7aMXdGpZ+IDeeBNGiXUipt5p4JfnKurFtysT1KlTj2xUzTU3c3hUjOCscj4xvr0ywSpcTJuB+VZmwffmuijLdHDi9ky74G1K5fUrSNp7qdFJDpFPtfn3HOffmnU0iycOk5pG3qp1dtChhsIzdyvdMQ9uzyXGPRlHAX371zxq3lq9LHdUg1TSiru\/zJo\/CHxEv7fy7LStQgW4bpcTCED0zk8+3FNYmindy\/UyeDxEvhjuXLL4UeM7SYDVfEun6ecbjG9yZWP4cc\/Q5onmVL7KbKjldb7TSOx8KfDPTG8RQapP4z1ad7WQGKHTrctHgfwqcniuOpj5Si4cu52UsujGanzXt5F3xbd3elX81jI91GkJwsTtslnzyABn5V7kmuON2eg0krWKSG9Nkb3UJ5DJNjZGrkAD\/ZGeg9TTur2TFyWV2YuoXAV87X5PGbnv6VspO25lKMex6x8LPghqmsaXH4g8ZSyeG9Gdd0SSuTdXi+qp\/Cv+01R7SSV7iUI3tY2vHHxf8AC3gDRE8PeAdMhMlsCvmt84V+mefvt7t+ArJKU5amjkoKx4xrU3jH4iT6deSa7MqXVu0927SkgSeYyZx\/E3yjr+ldt4YdXa1OKPPiJOMdkT3Os6f4L059G0O6uL+\/cg3F08pYeZjqx6ZHZRwKySqVpc8tEdUfZYaPLHVvczdHlv5L2TUL+4uZ5yCfLSVSzZHOEJ5PsMY610Q9w460udFe8ju28ySz1E+UG2xjzHIc88BiBg8dPXvS5bvcFUsrSRz95q1\/bz29wlzPuSTIBc4PHIP8q2p6E1NVZo7CwMOo2MEdvdXUaSwt8rSl\/MXbyGz\/ABJ\/Lmom+pCje6ZyPjTUZxqdtpgu2t\/O2FrlpGLPGPulznBLEbicdMVrTqe62YSjaaRvaLo+kbluLnxA86qCxRX2h+OmOTj2rD21S+iOp0KVm7q5qrqGmafC00Wqy+dPhmZZ5CCu0rnIA6AdB6GtVOfNqjGahy2TLf8AwmvhLStuLW8uP35Z4RFs8zj7\/mFj1PIG38awlTrT0bNY1aMLWiSv8YN4EFlokkcYBOZbtjtAHHCgCpWDaesjV43T3Ymbd\/ETXN729obOExRqZJJsZD7gX+Yn36gHOK09kjn+szfYgfxH451dorfQtS1SWI9UjBjMg5JK4A98g9OPWlyUY6yQ4yrz0i2XLHwV8S762ka4YW7zsGDT3WGbgjBxTliaUdjSOEqt3ZTTRrWOdrXUPFMaXttvE8Mc+AAW+8rNxweNvUdaXtpPVLQXsY3tJ6nU+G5\/BFlHFJJYalq08TZTktGh93fAznnj9ahuvLZ2RpBYePS7+84Ua3rxv5mUNKm9hlJFfAz3BORWlSlRNaeJqWWhZt\/EU8swhutMhduhEkWM\/j0rneHW6karExbs0XVnsmYO2kTwlhgPDnj8qTpy7lqtHsT2clu2AupXUQ3BWDxbwPbnAJwelQ1JOyRakmrmvbadpkjBDqZx2b+y15\/FZM1MpPqiloXzo6wQGew8RCJ0xx9olgBPuCGFJVE3ZoG30FWPxd5eYbqG9UDJAnimJ\/kf0o\/d7A5PsQifVVIXVtGICn5mFoVOPqTijlT2YnO+6LFz4b8Gak++5htGUjlns+Sf+Akn8aSxFSGzf3kOlSe6X3FC5+FHw\/vo\/lazRjx8l40Tqf8AgWPyrZY\/ELqZSwOGlvEwdW+BugyZTT9VnUt90tKGH6A5\/Oto5nVXxIwllVGS91syNX+C13eCKNdeghmgjWOOOT5lkA\/jLDuee3atY5jFO\/KZzyjm0UzGuvgv4vsJBJY3thdOmCPLlK\/hz1rZ5lRkrSVjCWU4iLvGSYnjPwL48ntbO3ttFZ4obfbKkDry5OSeTSoYrDptthiMHinGMYx9bHKp4Q8Xaddqbnw5qMSE7Xb7MZAq9\/u57V1zxNGS0kjiWExEZe9B\/cdRfeBri8eJvtsEFnLs8xZldJwo44BXHTp+tcX12ENLO\/4HestnNJ3VvxMi5j0zw94nudDhuPNgM4WG6fG8DAxnp69q2jOdeCmZVIQw9T2d9CtruseVdy2kcdnM8cxZt1uHVTnkc961pUkveZjOtryrUv8AhXWZ7lPskCWqTO5MkcVsiF0A4PA7VFWCTuVCrzadRsOt66upS2ianG65YXBS3iPbjkrnr6UnGChexdF1JVOW+nU6nwpLFb6QsYaKaVgZeDje57Njp9B6VyVEm20ehSlZWucb8ToJbvxBFJDFjK4wpyA2fWujCSUYu5xY+M6kotIv6XpkMFhBDLFMEQCNx5o3ZYN8y8cL\/ifalN8zdhQpcqSZ6b+x7pT22l+NkJwD9jh35z8u9j\/IVy4+fNyHZl9J0+e5yn7RCsfjQ6LO0aQWUSsUXdkbTxirwtvYvTqZY6\/tlr0OR8T3GoWtn9si1GVbksYbqMx5+UgYO45yfpyM11U1Tfu2OStKajzJkPhTVtYklDf2iVaBQsSpGNxXBycgc8dc06tOC2RNGpUluyprup3dhqKizvo5kwJI5Y0IOMcoScHHPT3rSEIyWxFWrKMvdZ02j6lrUOimT+0bVHkTdIzH5I2wdoPHykAdM44965p04OWx00qtRRu3qdr4o+E3jzQfD2l67D4ksdSGqwW0yQQxP+4MqGQty2OBwT054rF4iim48pusPiHFSU73Oa1Kx1gAw2up2sssKAMkkpAeLknGMFuf4vY+tNOK1a0H7Oq3aL1IGtPFOnBBqH2RBGiuJPPYs2fmQYPB78Y5pqdKWiuU6deHxW+8dpcviPV\/F+naLpGp2wudauRBBNJKSsUpbkMADgcdxx2pqMFFyktjFzqOSjB7nS+LfDHi\/wAGXMsGu6to8i3Fx9ldra6dosY3YYsuQMjkis1OnPSKN3CrBXnY5LSbDxVqmo6r\/ZUtkJNOhMlwzj5JR1Dr1yfTt61rKdKnFKSeplGjXqSbg1dG7pfhzxXqGi217beJLCKCMb98kjPFGGIViwUHgk4xyelRKrRTs4lwpVpR92WpH4H8MeNdd8SSWEPiBZII7grJcRo5UMS20L0I5XI\/WplVoWuogsPiE9Z6G38S\/g98YtLkmlTRfEeo29xbCS\/uEsX2xluuWfGCOhxW9NKW8LM5qslFaVNOtjnPBfhjxXpzSy3k5Fpa2qXM9u8gbbAx2qQBwfmxlQc1lWq03stTpw1OrG15XX6GhJPJ\/ZkyQTljG0qq2zac9RxXI1eWp6MV7rOY8WLIbOOC41C5MDhyHSP7suM8jI9OvpXfQXVI8nFNvRvQ+vv2A\/h\/aeP\/ANluHSNavdQ082l5PABbbMskh3hvmB9eKU6EKtWTv2MVi6uHpQilvff1Pmr4rfDPTPDHxH8Q2\/hmw1mfQNJvHtP7W1C5jZLuRXKs+1VGBuyAOemSa2nVtaCZFGlKSdRrf7jnfDHww1TxxrM8miCG1gijUzNLvl\/eEdBgAnI59qUsSqStLcuODlWk3C1jutE+Cepra29m8tvHJtZVjNhIxnI65BPBJOOP61yyxfVI6Y4OytdHmnhTT3sPipd2Fuz+VpzywTSsoAQjgjp3IwM104icZYdOW7McLFrEtR6XNDxxMqWVxE0uAxJWPdk5BzkVzUl7yOyu1aRj+DrJL\/XnsVuBB9rUsBIpMUixgs2cfxAZxXXNtQ9DznT5qllpf9DtLr4PaxdwxXCagVAQcrp80hZSBtP0\/Gsliox3X4mywU3bX8GZfinwP4ksH+yadpmrajKyBvLTTHiXceM5PWnGrB6tpfMVWhUWkU38jTl+Dl\/Z3OnTy6zPG9xbs84\/sokwPhcR4LDdnJGeMbah46DTVjX+z5XTv+BFZ\/CrUNTa4tJ\/EOlae0CnGWDmU5PBAPy8c4BPJIpPGwTuk2JZfUenMkdF4a+E+iWNgbSfXp7qVirs9pbFk3AfwgjnOfWs6mOlJ3SsdNLL4wjZsuN8KfB4kEk+natqBXLM15eR2qZ9MZBrH67U6WRo8BRl8V2anh\/RfBuhxiWz0bw1Y3Ck7JGlkvZsD02cfrUyrVZL3mzSnhqEH7sUjUPiOyjjNrbX94fl3MdP0qO3x7AuTn61nyye\/wCZspRWiKtxr0iHMWl316xxh73UTwPcKAPwzS5VfV2Bt+pDb6jqY3PBp+iWLEHJhshNID\/vPuNNOK3DUaZNfeVpLrW9SEOB8nmCFP8Ax3GBS5obJB7\/AFYrR6Q9pI9xc2zSlflllYyuGHK9skfj0oi5PQdorVkPhvSdY8R3qWGk6fLqmoXZAjihAwo\/vMTwqis7RT3E5aXPXdH8O+BvgzarqniK5tdd8UrGZFDANa2GO6ofvMP7x\/AVam27JXMntduy\/H\/gHifxe+NXiLx5dXMmnTXMtmW2iUMVJHb02\/zx6V0QwzjK89\/MwlXvG1JaHLaDo9jqFraatfXNxa2UKl7lZvl8189iOijH1JqpycG4pajpwU0pN2Ru+LXuF8MWs2iZsLKWN4p4MCKTaGyu0dTuySQOfWnytxXPqyVNRnJQ0TONiCxEEIcKwzx+f41cbmbVjobNJrVYCYC8Udwv7wlnRifuvs6YIP3vqOtaGTad9SvqSCG3a7i8lELjEYURup+YDK5Py5yRjjios7XC93Y5nWCrQxcEBp1B4B6nGa0pprRhUdo3Ow0KF7eONEgeWGP5QnzDaeck7gpyQT7YGKmSvoS27XsYPjWO2ne5aaJA1vIQhcDMTHoqtnOD124OPUVpTlZWM5q9rlO3tDOEMcMk5dAPLAY4PocevYilzFKm3sjqdI8K61dA\/wBnWMh+yI1xtjQlYh\/HIQx6Dhe\/enOpFLRijTbex0L\/AAm1S58RPaa7dxaQltsWa5ZQVtlkHyjrgjJxn+HPOKzdf3bouOHk5cstDWvvhx8MNBs2afxV\/al1HgrHC5KPg\/MpKDAzjAOeKyVas3dRN\/YUYqzZltrXhC2WBtO0eO6mhu0dmutqgIud0bsjMSzZHTA46VVqr3ZHPTVrIzP+E81mTUn\/ALD0ZYp1lDsLaz2hMBgCzElSSrYOAOgpOjC3vMca03L3EVNQv\/GmrZivtQeEMclPP3BfXcQQq\/rSUqMdkW\/bzXvOxT1KztNNtrW4Fwl+zlgXBIHb0xnp\/wDrrT2sW7JGfsbatlO61qPeGt7Y+YBtBnO9FHsgIFTCH8zKlNR+FGjqbawb+5DWDyZkbDK8Zxz+BquWm+pfv22L1tFYklLyxeZMH5fMK4Prkf55rlk2l7rN4qN7MakMMEz\/AGaOaNG+6N2WXjHU44yDVc2lnuWopPyLljYfarsZ1a4hDrndKmccdCM\/hWN2jWy6Gt\/ZF7ZRhoZxeqOS1uh3LnOCRjA4\/GpclJBZplF5mldkknbg7ShOD\/8ArqlFJaEc2pb09MOQVjYqBls\/55qJGiJo72dr5Yo9bvbSLZh3t5SQDzjA5Hpnp3oiklqrhurF6Sx1KcAQ+J7efByBd2Shj7EgDinGUOxPJLuTRRPbRONb0AyknMdzYqwR1OBngnHTjOOvSpbjf3WNLTVHIeKfF3g\/TkjIl1GzlkbI88F1xg9NmTmumnha0+lzGriaFL4n+ZseDJrnxDLdCwltJJbXZvWQHcA2cHBwQDtPPcg+lc9VeyS5up00KiqX5ehuPp+rxrt+wQttJzskx\/jWHNF9Tosyu66tbsnmWF8rAnmOQMPxyKuLj3Jt5Ekeo3hf53vYzjlWhBz7cUpWGh1zrzrsWeZEHCqXt2yT78URSewNrqV7y50e7XzLqz0q7GM\/vrdcn8xxVJ1I6RbRnKnTnukzE1LR\/BFzN++8K6WXPO+KMKc\/gRW8cRX6TZlLB4V7wRnx+BvBsU6XNtos9rIrfI8U7Ag\/nVvGV9nK5j\/ZuF3UfxG\/8K+0F41WNbyLLdFlByfXkGnHF1C3g47RHr8O7CK1uIYb65i+1hR5wVC8WPQ479801jL6cqM5YBN3UmvuKkfwtOGWPXpJBncGu7Ndx9sqwpLF315fxGsHOKtz39UWz4H1lbEW\/wDaOmzLn5S8bqwHcbgT6Cn9Zg\/hTCWGqaPR\/edF8ONOvPCmga1Zm3tTLqMsLK0Vw2Pk3Z3bh15rGrVU2tTWlTcE7pHCfE\/wj4q174jT+INPFkLeZY1aN7kZIVcEEEfWurDYmjClyPc87FYStUrc0djltd8AeOr+ZwltZeTuyI0vVJ+pJ611wxOGitW7+hy1cDi5XstPUl8MfC7x6tx5Z8NmaMAsHgvIw6nHY579MUp4vDvRS\/AmngcUvsaeqKWp\/C\/4lt+8vPDkm1eFzPHx7da2WKw6+GRM8BjJbw\/I2PDXhbxX\/Y8\/9peHdQRkdQiwsCJM55A3fwnOfqKwqVqV\/ckjoo4er\/y9g0eoeP8A4g+I9e+H1joOl+BtdtbjTxAJJFh3LIIo2RuMcbt2fauGFOLndyVvU7pTcYe5F\/ccNban4t03wpDotv4F1Sa3mlaabzLDLqSNoQSY3Fe4GeM11SjGT1mkcsKlSFv3b+4h1uHxPrU6KfBPiK3UiJNxtidgXgnI9\/0qKcYQ150zWrWlUVvZyXyK\/hXTPFGh\/EnSdWk8H63LbaTfrc7Y7X95KATyDnHOa1lOLptKSu\/M5YxqRqJuLsvI7T4s6hqnjK8uGsfAfibT4k8+7cXFuu6Z22gJlT7cYrCgowd3JfedFecqkVGMX9xh\/CxPFujL4jgvPBetzXmu23kW6m0OBkcE9+v86eK5W4cklZeZphXOCmpRevke7fsWfDTXdcN7J4gtdV8MxaPDHFDIIkDTTs5chVkDAqq9cjqRWkKEKzcr6HJiMRPDJRS1fcZ8e\/h9p\/w\/+I9tB4P0n4geJvEWozxXt5dxWqmwslebJDCOMBmIJO0EAAjNFTDwhZLciljatS7lZI9+\/bhsdQv\/ANmXXrDT9JvtYkuJ7WNrGzVmlkRpQGKgc8dc9sV2V\/g3PNw9vaJPY+T\/AAJ8DPi\/4s8H3mp2HgvULRfD2lR2aWmoS\/Z5NXIOSsQPUhQCQcA4AySa4VRlO7W17nryxVKlyx628jX\/AGLfhJ\/wlfxln0v4k+HYbrRm0q5l+yPeqGSdWQDIjYMCMsOadGNOU7PVjxdetTo3hpf0On\/a++Fnwk8J+PdL8O6Z8NtR8u60r7U9xYeIXtYwfMZcEPFKS2B1yODjFaznGjLY4aPtsQmnJHbfsx+LfCXw4\/Z48Y+INN0C+0q20W6iRLWbUTdPezmILEqN5S4YkgH5T61VGpFxlNXDFU5upCDaenQ8jsF0GL4cXGsT+BfGMmgxztFeXb64ZUWaQlyrE2\/OSx5xjkDvXK+WTc1F\/edkPaRiqXOvuPYPiroGk+B\/2TdMtfAC3GhGW7sp7aeMCa8JmIeUliMuxB57ADoBXRX5fY3aOPCzqPE2v3PF9X0vWtXlhu77xb4qvrmAZVrmOOLyh32knjNeU6i2R9A6d7Psc7N4M0YtcB47iOW4kLzyTarBC0rHkk7eapzfqHs4620uZ8\/hvwQm9Li10iKVfkMtxfSXGQO528EVXtqqtZ\/gR7Gl1X4jrG28G6dOLaJtFTB3CSDSmkYn2JORVuVZq92\/mJU6UXol9xt2+rxiBliu9UwOEW3gijUjHr1FY377mysV2vlMqSTrqkpU9LjUXQf+Of0p3vtYLBdajbzSeXa6JpAnfgSS+ZOw\/F2P8qTjpqyml2Es9L1aGHc1xa24Of8AU2qg\/qO1LnWwuWRnanPGmwanr9\/OHbairdrGv5IeBWqi3sjN2+0yuL7w1DLun3XDDkYkMjZ+uDS5J30ByprcafEui+QfJsp0IOAFRR+GWNVGjN7iVWFtihceMo1lUwQLtDFQs9xnJx6KKpYeS3ZDrq+iH23iLWZfng0kIm7bvjsmbHvubIxTdGHVgq876Ijn1LxHc58y+htkdsbXukjyvqFUkn8qFRp9hKrVfUjisb+WXdJdTzjdn5IJGDL\/ALz7VH507RWyJvK+rOj8E+FbvxFrcWk6XBLJdStkFp49kK+rbN3A9yKm7tdlaSZ6d4l8b+HvhH4ZHhfwn5d5qxh2ajfJjdI\/XBP90egrmnBTbsbXUVqeI2M+ueKfHtnqWozyt5k7eXH1yXUg4B+vet6fJSXKjmqKVROTOXu9I8jTo4YYyuFGQFBORxzXRzvmJ9leCsSaCs9wkdrekzxW7CO3inwip8pPPYnjAJp2V2yHKSXLc6WS5lXTluoGSFfMMcixxvsdFwEJ8v5QRuOcEA5HPWk9dhxOX8aahdmVLpVR2OAxbqVOSuT64x1q4K7szKblGN0P0DVZ3tlWeKUBgRHtk270\/jTd2HcejfWm0Q5rexLeQNLvQQMkysWAllAWVegAbpkAcg+uaTUluNTSV7HOajMk1lJH9lkQ5B3FgRWtNNO9yJyurWPR\/h3bXD+H7Hz3DRsrNGXXO4Y+7745NYVV710bR2tcy5rCxPiqzn1K1N3p2n70ZPNUeeuM7unLocZ45XHpV8r9m7PUz91TV1odBaePNLsx5WmeH4Xab5IZjDI4QdN4PyjIz156Vh7F31kbOtbSMRut+NteMK6a8bRW24NII0CYRUC8FfmzgDgHnPTrWnJGOpm6kmrXMVpdZ1BBGG8xZANvlLv8oE5I3Md3I4IPOTnNWpRW5KU5aJFu38GajeO0+paiqBsfLGTKygdsnCrj+dYzxMVtqbxwsnvoQXWjaDpFtcW+iSiW9APBlM2wd92BsXPvzTp1Ks5LmVkRVjSpwfK7s1NR8T6dpenRh7dJGwCsZfESfULjP0rJUpSbOr2kYxT2OF1zxLdanq8apLsWVwqqBtVeeqqK6KVBW94454m7tE0PEfh9I\/IZ5JUZgy7o5COQc4IqaczSpST1Oc1a0ltLhGgnmw20KhfLEnuOOa6qdpbo4qqcNUz0vUrzxRFNOLrRJSFZwJUgLHr17ivPdOF9GempzS1RnW19JJKfOvYoptuSs8Pl8\/gP6VUlaOgKVzTso726dY7dbK5d2wix3SeYx64APJ+lYt21Zom27LcsqZYcNc6ddINxG5I96qQcHlSe4I\/CiyezL5mnZo2ND1eO23+TLsLYyrDr19azkrGkZJmkdVknXc1rbTc9ZIQQPXpiskpbsttGr4v0LSY3tIbS2W1kvLCKa4KAt8xOeATx09afOToYLeFS3z2uo6eSDj55DGT+YqvapLUv2bOGn8eDT7grd+H9VU7c5dNufbjIP511wwya0kjjljOR+9Fkl18VfDsiLAL+WPzFCNBJDIck9QflxR9QrXul+QnmWGejf4M8g8b6il9rV99nVGjadgmECiNQ3yhQAMcf1PevZoUnGETwsRV55ytrqSaF4j1jSLSa8tdRuIb3y\/L80sSTHnOCe\/OOtTVw9OdouOg6WJq0k5Rlr+h3ngL4j+Kb51VG1BppXKJLBBvhHy7trMx+98rcfSvOr5fRh\/Wp6+GzGrUdrO\/4HYQ+LvFsUZeZ5TkAlpLM8n34riWHo3svzO9Yip1JR8SdcLeVLFaEY+YmFoyT+NKWCgldMaxb7Ev\/AAnsspAm062mBPJWXH4ciksPbqV9ZT6AnjCwe4KTaEQg+6Y3ViPWm8PLdMf1iLeqJ5da8KS8zaPdJk5P7sZ\/Q1l7GtsmV7WnfUadU8FO4JgnhHuGBP6UnTrp66lKpRfUcZvB7keRqToemPPI204qr1Qc1Loy9bwaVIAsGuSqowQDdrj9TSdSV\/h\/AtKL2ZqW1lCIgIfEhUnj78ZqPa6\/CVyLuNeDUoiwt9UikBH3vKjJP9aOaMuhPK0PksNSERZtRtT\/AHt1uB+PWleInFkVzp2pN8zS2BA+7+7OMdulXGUU9BcjGf2PqlwoDJozZIwzIQKJSiuovZyJP7N8SW8ilE0RUA\/5Zz7Mj3ANJVab6sXs5roiK8g1+dgs9ppcwI+4ZycfrWl4dGDjN7oj8jVFG3+zbAH1WYj+tQ3HuHI+xLCviMNiGzVVA4K3jAYrSLj3Bwl0RKE8Z7XK2kgT+ApfHGPfPWofJ1YuWfYdbWHixhuktpGJ+XH20\/0qVOnsHLLsOEPiOAPtsix\/hQ3pH9K0co9QtNdBdPk8WPHmTSpI\/mPTUic+\/AocodGJRl1RraFbeONS1y2sNM05Zrq5YLDG987ZP944xtVRyT7U0ueSjHcyqzVKLnLRI+oYLd\/h98H9SuLHyry+0fS57xnmJ2XFyELFmPXbuGPoBXt06XsaVkfK1q0sRW5pdfwR8maLrfxEuoYdUn8Wlp727S4uXbX5EBLyAsFQNgDnAA47V5TxEnOzbPdhg6ap\/Cj6o\/bQutSsv2d9Wn0vU5NNuReWardJO0JQNMoI3KQQCOOteviJclNs8HCxUqyTPnPRNA+K\/iHQNR1jRfGOp31po6CW9ltb24dYsjkL8\/zEAZIHOBmvMhVqzTcb2PenRw0HFTsm\/I0v2aPFmneAfiDf+NPEviWG90+LRbj93CgMtzM7ptVSerMc9T6k06FWMKjckLHYeU6MYw11PUNE0n4ufGvxTZ+OtU1rV\/hh4NtLXZDp9le\/6TqEYcv5r71Cx5BwXIxgcA9a7oSlV1tZHkS9lQXL8UvwR7V4YvtCv\/Ckdz4a1G31TT445I4byG4FwsjR5Vj5vO9gwIJ9a6FaxxO6bufFPwg0P4tfFzw9q62PxO12a3t2+z3kV7q7rFJ5u75AoUgjA5B9q4I+2rNqL0Pan9VoKLnHV9jl\/i1dS3vxHltPEvjK0vptAiXTEis9Qdbaw8pQhiTIGW+XLMAcknmsK\/tE+V9DrwdOk1zxVr9zAubvwmkOW1W0JA4AkeTPrn5TWKVV\/ZZ3P2XdEZ1DSIvLIEW0\/Mmy1Ylx+OKapVCOemuosvirQkwI9LkZmXO5oEGR7ZJ4prDVO5LxFPsZdt4ttrS6lkW2ciRSUX7QEXb6cD1rSWFk1uR9ZgtbCR+NJJpRHbaPZygruUkzT\/kAQPwxR9US1bI+tXeiLw1PxJeRutv4echk6waMRx6bmHB\/GkqEOsvxG68ui\/AZep45nhKTi6toxgRi4vIrce4IDA\/pVKnSXUTq1n5GdLo+pTuzT3duXOMYmluCPUfKpz+dWnBaIm82Ok8ORwwtLc380G4jAW3SNgB1AMjj+VPnvoiXTdriR6boe5la8uXwQdvnsSTjsIYz\/Ok3NPYSS7lix06zkJEGhuxL7g0tk7Z98yyY7f3afM+rKir7L8DWsLHVNu2K3W3Qc\/u2SIn6iJAf1rKbju2aKnN7IuJpFxLkXZibPHIaY\/8AjxbFZe1UdjVUn1LVr4QmmcLbxzynqAGESj8sUOs2V9WRqeGfA91q2pfY7KwsS4P72eVt\/lL3ycnpWUqrWrH7BG5478ZaZ4NtB4J8IzH7TdIyajqcCr5hO0navovb3qqd6rInJQR5r8J\/Dlzd3UOr+Iik00oWVIDyATggvnqfQdBSxLUE4wDDwcrTn1LemQfZdXmu2ZP9GlMgDEjaQxwTjoOOp4\/CiF+VNiqSWsUZ2spZzyyzri3kGVKBR9\/JJyPcgjPHQHGK6HC+xgpOKMDTHt7bVt06AwyY3gn7pByG\/A9fbNEZNbhOPNsbJt5F1RBa2qRO8kny794iYqPMUKRyu37oORhhjmtUZLVHEeL2mksJpjtX96DtAwBz0x2\/+tTpL3rhiVakO8Lzxy2YbbA7QAGSOTarkDgMrd\/mwCpHcVq9GckFdGvc\/bYXuLlGjLOdrxGYER5+6+ehBHA\/EUpyS1ZrGN9DFurGV7crJ9n2Nt3FXTJGeenNTGavoXOPundaDaEeFJr25WSNTdFFTbkLycADg5AA9KJPUiKskZjxQXmtDy7KZDCwbLuAoI\/jC4+6wLfMCeOtCTirlNXNfSfDWp22lIZNaMFtCjeWkSKg2N\/edsdqwddJ2RvHDtq70RLo1h4XvNQktVuftN2sW9pYmabywOAC\/AXJOOOafPUVm9EJwoxTUdWO1tdXsYYoNGGnykKQ0k0nMZHYKSRj8zV8tObvJgpVoxtGJhHSdZvJWuPEGsG4Un5LaGYhce5AwPwqnKEdIIhwqT\/iS+Qt2l9DCLe0+w21oGyYomIyfy5Puc1MGuZSluE4+44RWhzWq+G7u5uvPOpRMc5Pmktt+nAxXSqkFsjnlQqS3ZAuiSRXIeK7tkO4B2CsSwHtj9aXtlJbE\/V5rZo39WvnnTbJOjAcr8prmjC2x1uTsY2rSYaF7Vvmii2qcY9Qf0J5rppnNWOyvry6huJlgnmjcyHGyQggZ5ri5IuR6fNaJYXxBqKLsklE2O0yLJ\/6EDUyp22GndajY9RsJxi60LTZGJ7RGI\/X5SKlRl\/MHLF9C3YjQlYSwQajYyAEbrS9K4U8EDI6fjTknbWzRUYqLvF2LcNlplxFHHHrWpRhB+7SeHeqj0+Vvb0qHPuhqHmadnp12kWyx16wlDH5Umj2MT6fMvH51HNB9BpPubt0dfjuDZ61bW63Fsi7AGJMgwNvIOOmMVDsti4+ZHFqDpbBpdCuHjb7skallP44Ipeg3MX+2NN8l4rq3cBznDWsbbR6fwmpak2LmXUy9U0fwLqnmNMtnJvXo9s6sD9eRW0KlWOzJlGlL4lc57U\/hp4SuExYNZK0uVZWtkyvbhuDW8MZVT3f3mP1TDv7K+4zT8JYbOWOa0WwmeGQPGfMl4Ye24j9K0lj5yVmyY5fST5kvzLX\/CL6rZ3VxMbACS5l82QwzD5mIALYKjHAHArL20Gkmzb2Ti27aslFhqKJumjvVIPGIA4P5HNJSithpPqMN06fLLHIy5xl45kJ\/KiVmPmXUY1xaurMTCAB91nAP\/j60lz7MNCpI1nNNzaxMqjGEEZOfUlSKpJkOzJIdOt5IZPKicyRjcqGE4b\/AIEH4puUkx8t1oJDZQMx863mgZhy2+TH9e1S5NMOXuaNr4bs5EWdLibLAZ\/ehvoAGXipdaWxtGit7lefRNHF20cmobCMDbLJGB+GRzTjO2thOnG9rl218G6LeqTH4hRSeiPDGw\/RhmpniJR3iWqCa0Y4+AVilFwniC0QRsDiSBgvHrtas\/ri2UQ+ryTvcnuvB+oBCTfWs0Y5BUSAAHp3OahYmN9i5U5lUaHqUJYW11ZOUOBHHcvkD8Rya1VSO5ChNbFZ7DxMJWWO1uyqscbLpsAf1qlOnbX8hWq7IgmtPEnmjzYb9EUkAvMWx9aF7LyF+9vqhoTWLfckMsv3v+ehBx75HFXanJaibkhJTr8waOT7QVJx\/rgM+\/IFCVKIr1HoNt9O10uWWG7ITriWNzjsTmnKVPqyOWp2JTPrtmCZXvIwMgBgnPp0qGoND5qiFh1bxRGkZd5wrc7VCnHvxU+zoth7SqkTWV34nvpDG1ncOAD83nRqB9dzVo4wWzF7Sq3sbXhjwtq+syiXUtf0TwzYL\/rb3U9XhAT1AjQl3PsAPrVwocyv0OWti\/Zu1m32R6PY\/E\/wL8JfDlzZfC3T5fHXii5i23Ov37rb2ueyjJDFAf4EAzjlq7abo0Y2jueZWhicTL31Zdj3PV9V1TU\/2VL\/AFnUGi\/tW78HvdXBjQCMztBuOByNu7tyMV03i43PP5eWry+Z8o+G\/iH8aJoLGZ9YwpaAnFlZ4wWXPSH61wuuk7XPc+pJxbt+J9f\/ALamt694a\/Zw1nV\/DN4bXU47mzSObyFmwGmUMNrKwPHscV21NItni0IqVRJnzP8AC\/xf+0p4x1aXRvBXi3VJbiKI3LRJaRW8Magcl2aBVyTwB1JxXLGc3pE9SpQw8I80\/wBTI8Iana+DdVl8QN8O7\/xl41kvHk3azayRWGn3JYlgltGmZZN2eTtAP3QOtZqrSTvLc1nSrThywdo+R7TpPw4+JPxJ0w+Mv2ofHY0bwgmJo\/C9vP8A2dbsvUfajkbV\/wBklmPtXWnJq8tEeZN04Plp6vue8fCzUPB+ofDzTrjwHBaReGBG0WnR21qbeAxoxU7EIB2Eg4bHzdec5rWLT2Oaaadpbnz34ql0r9lr4M6tpHhy"} 02486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136215384,"flow_dst_last_pkt_time":1654385136563855,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385136563855,"pkt":"nLbQ0+MztKXvZygQCABFAAXU7ZhAADYGaKmsaXlSwKgCfgBQtHgmuiQMUbJfToAQAOskjAAAAQEICsmhz1rytRrb\/9j\/4AAQSkZJRgABAQEAeAB4AAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIASICJgMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APvKRyGwMdB1UelMQm9v9n\/vkU7CuSBjjt+QoAXcfb8hQAbj7fkKAFDHHb8qADcfb8qADcfb8qADcfb8qAFBOO35UWC4uT7flRYLhk+35UWC4ZPt+VFguKM+35UWC4Z+n5UALn6flQAZ+n5UAVtWhW50y4gYAiSJlxjrxWNeHPSlHujWlU5KkZdmcx8J72WSwuLGbGYH3KCBkA9RXm5ZUvCVPsevnNJOUKy6o69T9Pyr1E9EeHfUXP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XAfh+VAXF\/AUBcPwFAXD8BQFw\/AUBcPwFAXD8BQFw\/AUBcPwFAXD8BQFw\/AUBcD07UBcQHnt+VFwuKenagLiZ+n5UXC4A89vyouFxfyoC4mcelAXGPMiDJKigGzH8ReKtJ0iBpLu6RcD7vVj+FUTzjvCGrLrGmLfou1ZeVDIAQM96Aua4PI6dfSgdx\/4CpHcPwFAXD8BQFzP8R3IttNlkOMbT2FY4iX7oZ4f4nk\/te7NpHLIhDE5XFfKSb7jLBkk0HSQQfMfgYIzWEm+5Ri+KPFcml6Wbt5cueQoArSg33JlI4mz+MAt70C68z96TtJTgVvyzkY+0Ox8H3V3r9294t0fKZflHpWclLuXF8wx9Lmg1G4+2TF4C2Qx9Kz53Hqanmnxtu49KvLe+tLx1ROCobHWuvD3mtzCruP8ACnxEvrqW1WB5JPNIXBXIFazpytqRTlqdh8OtY1q1+NWmW97bFY7xiI328fdNVg7e2SudB9H6PLINTuVJXqD9wcV9KSbIdsfw\/wDfIoC4ySRicfL\/AN8igCGSWUcqF\/74H+FSy48vUjiunMhBC5Xr8g\/woKlHsTPc4jJZkA91FBBxfjr4maLoKzW8UqXV7FHv+zxKpO3OM+lRKVioxueXL8U9bvrj7Vq2qWumWjriKGBVzuyeST\/s1nds2SsfRUv3\/wAB\/KutHKwoAkHSgAoAKAHDpQAUAFABQA4dKACgAoAUdaAFoAKACgAo"} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1567,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136207603,"flow_src_last_pkt_time":1654385137102946,"flow_dst_last_pkt_time":1654385137455380,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":208,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":143010,"midstream":1,"thread_ts_usec":1654385137455380,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46170,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":71858.1,"flow_max":895343,"flow_stddev":186827.2,"c_to_s_min":12624,"c_to_s_avg":453983.5,"c_to_s_max":895343,"c_to_s_stddev":441359.5,"s_to_c_min":1,"s_to_c_avg":44563.5,"s_to_c_max":371980,"s_to_c_stddev":110943.3},"pktlen": {"c_to_s_min":274,"c_to_s_avg":276.0,"c_to_s_max":278,"c_to_s_stddev":2.0,"s_to_c_min":387,"s_to_c_avg":4833.0,"s_to_c_max":21666,"s_to_c_stddev":5678.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01368{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1578,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":139,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1654385131029337,"flow_src_last_pkt_time":1654385137110902,"flow_dst_last_pkt_time":1654385137463937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":202,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":156844,"midstream":1,"thread_ts_usec":1654385137463937,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":60148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":531670.1,"flow_max":4660887,"flow_stddev":1219703.2,"c_to_s_min":216537,"c_to_s_avg":1584098.6,"c_to_s_max":4660887,"c_to_s_stddev":1642145.4,"s_to_c_min":43,"s_to_c_avg":292481.8,"s_to_c_max":4604216,"s_to_c_stddev":950774.1},"pktlen": {"c_to_s_min":268,"c_to_s_avg":273.8,"c_to_s_max":278,"c_to_s_stddev":4.8,"s_to_c_min":384,"s_to_c_avg":5875.0,"s_to_c_max":21666,"s_to_c_stddev":6417.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1600,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136215384,"flow_src_last_pkt_time":1654385137106944,"flow_dst_last_pkt_time":1654385137800355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":424,"flow_dst_tot_l4_payload_len":219741,"midstream":1,"thread_ts_usec":1654385137800355,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":89176.3,"flow_max":891560,"flow_stddev":196675.3,"c_to_s_min":20405,"c_to_s_avg":455982.5,"c_to_s_max":891560,"c_to_s_stddev":435577.5,"s_to_c_min":34,"s_to_c_avg":60960.4,"s_to_c_max":375934,"s_to_c_stddev":126160.0},"pktlen": {"c_to_s_min":278,"c_to_s_avg":278.0,"c_to_s_max":278,"c_to_s_stddev":0.0,"s_to_c_min":386,"s_to_c_avg":7390.7,"s_to_c_max":21666,"s_to_c_stddev":6768.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1567,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136207603,"flow_src_last_pkt_time":1654385137102946,"flow_dst_last_pkt_time":1654385137455380,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":208,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":143010,"midstream":1,"thread_ts_usec":1654385137455380,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46170,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":73900.7,"flow_max":895343,"flow_stddev":189691.4,"c_to_s_min":895343,"c_to_s_avg":895343.0,"c_to_s_max":895343,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":44563.5,"s_to_c_max":371980,"s_to_c_stddev":110943.3},"pktlen": {"c_to_s_min":274,"c_to_s_avg":276.0,"c_to_s_max":278,"c_to_s_stddev":2.0,"s_to_c_min":387,"s_to_c_avg":4833.0,"s_to_c_max":21666,"s_to_c_stddev":5678.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01368{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1578,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":139,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1654385131029337,"flow_src_last_pkt_time":1654385137110902,"flow_dst_last_pkt_time":1654385137463937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":202,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":156844,"midstream":1,"thread_ts_usec":1654385137463937,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":60148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":481391.0,"flow_max":4660887,"flow_stddev":1215170.1,"c_to_s_min":216537,"c_to_s_avg":1520391.2,"c_to_s_max":4660887,"c_to_s_stddev":1830439.5,"s_to_c_min":43,"s_to_c_avg":292481.8,"s_to_c_max":4604216,"s_to_c_stddev":950774.1},"pktlen": {"c_to_s_min":268,"c_to_s_avg":273.8,"c_to_s_max":278,"c_to_s_stddev":4.8,"s_to_c_min":384,"s_to_c_avg":5875.0,"s_to_c_max":21666,"s_to_c_stddev":6417.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1600,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136215384,"flow_src_last_pkt_time":1654385137106944,"flow_dst_last_pkt_time":1654385137800355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":424,"flow_dst_tot_l4_payload_len":219741,"midstream":1,"thread_ts_usec":1654385137800355,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":91723.4,"flow_max":891560,"flow_stddev":199830.4,"c_to_s_min":891560,"c_to_s_avg":891560.0,"c_to_s_max":891560,"c_to_s_stddev":0.0,"s_to_c_min":34,"s_to_c_avg":60960.4,"s_to_c_max":375934,"s_to_c_stddev":126160.0},"pktlen": {"c_to_s_min":278,"c_to_s_avg":278.0,"c_to_s_max":278,"c_to_s_stddev":0.0,"s_to_c_min":386,"s_to_c_avg":7390.7,"s_to_c_max":21666,"s_to_c_stddev":6768.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385139579809,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":887,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":887,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":887,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385139579809,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"103.29.71.30","src_port":35200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01715{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_packet_id":1,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":953,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":953,"pkt_l4_len":919,"thread_ts_usec":1654385139579809,"pkt":"tKXvZygQnLbQ0+MzCABFAAOrd4dAAEAGTmTAqAJ+Zx1HHomAAFCgxdnYmdL2h4AYAfZ0\/wAAAQEICoGE\/JiYFaLeR0VUIC9jLzM1LzEzMjc3PyZfaW5fYXBwPWthbmthbiZfdWRpZD1lNmRiZDMwYi0zYjg0LTQ0YjQtOTc1MS02MzExNDhhM2VkZTkmX3Y9Mi44LjIuMSZfcGFja2FnZT1jb20uc2NlbmV3YXkua2Fua2FuJl9tb2RlbD1zZGtfZ3Bob25lX3g4NiZfb3Y9MTEmX2JyYW5kPUdvb2dsZSZfYW5kcm9pZF9pZD1iOWUyODc3NjM1NGQyNTllJl9nYWlkPTVhYzZhMGZmLThkMTgtNDdiYy1hOTAyLTI4MTJjZjBjMjUxZSZ0PTE2NTQzODUxMzYmXz0xNjU0Mzg1MTM3OTY4Jl9jaGFubmVsPTFreHVuJl9sb2NhbGU9VVNfZW4mX2NhcnJpZXI9MzEwMjYwJl9yZXNvbHV0aW9uPTEwODAlMkMxNzk0Jl9haWQ9NWFjNmEwZmYtOGQxOC00N2JjLWE5MDItMjgxMmNmMGMyNTFlIEhUVFAvMS4xDQpIb3N0OiByZWxlYXNlLmJpZ2RhdGEuMWt4dW4uY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjkNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuOQ0KDQo="} 01563{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385139579809,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":887,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":887,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":887,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385139579809,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"103.29.71.30","src_port":35200,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"release.bigdata.1kxun.com","http": {"url":"release.bigdata.1kxun.com\/c\/35\/13277?&_in_app=kankan&_udid=e6dbd30b-3b84-44b4-9751-631148a3ede9&_v=2.8.2.1&_package=com.sceneway.kankan&_model=sdk_gphone_x86&_ov=11&_brand=Google&_android_id=b9e28776354d259e&_gaid=5ac6a0ff-8d18-47bc-a902-2812cf0c251e&t=1654385136&_=1654385137968&_channel=1kxun&_locale=US_en&_carrier=310260&_resolution=1080%2C1794&_aid=5ac6a0ff-8d18-47bc-a902-2812cf0c251e","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -815,7 +815,7 @@ 01207{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1658,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385141046673,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141046673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":426,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":426,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":426,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385141046673,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.79.37","src_port":41390,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Google","proto_id":"7.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"google.open-js.com","http": {"url":"google.open-js.com\/doubleclick\/ca0ecde2.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} 01137{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1659,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_packet_id":2,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141075345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":520,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":520,"pkt_l4_len":486,"thread_ts_usec":1654385141075345,"pkt":"nLbQ0+MztKXvZygQCABFAAH68DMAAPgGrD4SQE8lwKgCfgBQoa4lNEsiAYFa4YAYAIOtmwAAAQEICtL8K4OmALBISFRUUC8xLjEgMjAwIE9LDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2phdmFzY3JpcHQNCkNvbnRlbnQtTGVuZ3RoOiAxNDcxDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDA2OjE4OjEzIEdNVA0KTGFzdC1Nb2RpZmllZDogU3VuLCAyNyBTZXAgMjAyMCAwOTo0ODo1MSBHTVQNCkVUYWc6ICJmZGI1MmNiYTkxNGQxMGI3NWI2YTY2ZmQ1NzVhZmFkMCINClNlcnZlcjogQW1hem9uUzMNClgtQ2FjaGU6IEhpdCBmcm9tIGNsb3VkZnJvbnQNClZpYTogMS4xIGI0ZTZhMTMwMWExMTQzOTM3MjMzNGFhMTRmYjdkMzEwLmNsb3VkZnJvbnQubmV0IChDbG91ZEZyb250KQ0KWC1BbXotQ2YtUG9wOiBUWEw1MC1QMg0KWC1BbXotQ2YtSWQ6IGM4c2hiWWJFVnhFWWhjaEN4c1d5LUVhTDNiYzl2V3g5aUl5clpkVFEyYjVfeXZneTlRdTBNUT09DQpBZ2U6IDYxNjQ5DQoNCg=="} 02437{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_packet_id":3,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141075345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1494,"pkt_l4_len":1460,"thread_ts_usec":1654385141075345,"pkt":"nLbQ0+MztKXvZygQCABFAAXI8DQAAPgGqG8SQE8lwKgCfgBQoa4lNEzoAYFa4YAQAIPvVgAAAQEICtL8K4SmALBIZnVuY3Rpb24gaGF2ZVNjaXJwdCgpe3ZhciBhbGxTY3I9ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoInNjcmlwdCIpO2Zvcih2YXIgaT0wO2k8YWxsU2NyLmxlbmd0aDtpKyspe2lmKGFsbFNjcltpXS5zcmMuaW5kZXhPZigiaHR0cHM6Ly93d3cuZ29vZ2xldGFnbWFuYWdlci5jb20vZ3RhZy9qcz9pZD1VQS0xNTQ3NTc5MjktNTciKT4tMSl7cmV0dXJuIHRydWV9fXJldHVybiBmYWxzZX1kb2N1bWVudC53cml0ZWxuKCIgPGRpdiBpZD0nZ29vZ2xlYWQnIG9uQ2xpY2s9XCJndGFnKCdldmVudCcsICdPbkNsaWNrJywgeydldmVudF9jYXRlZ29yeScgOiAnYWRDbGljaycsICdldmVudF9sYWJlbCcgOiAnY2xpY2tzdWNjZXNzJ30pXCIgPiIpO2RvY3VtZW50LndyaXRlbG4oIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0Jz4iKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfY2xpZW50ID0gJ2NhLXB1Yi00NDAxNTQ3MTc4Mjc5NTA1JzsiKTtkb2N1bWVudC53cml0ZWxuKCIvKiBha2VtYW5nYS5jb21fQUtfMzIweDUwXzIgKi8iKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfc2xvdCA9ICdha2VtYW5nYS5jb21fQUtfMzIweDUwXzInOyIpO2RvY3VtZW50LndyaXRlbG4oImdvb2dsZV9hZF93aWR0aCA9IDMyMDsiKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfaGVpZ2h0ID0gNTA7Iik7ZG9jdW1lbnQud3JpdGVsbigiPFwvc2NyaXB0PiIpO2RvY3VtZW50LndyaXRlbG4oIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9Jy8vcGFnZWFkMi5nb29nbGVzeW5kaWNhdGlvbi5jb20vcGFnZWFkL3Nob3dfYWRzLmpzJz4iKTtkb2N1bWVudC53cml0ZWxuKCI8XC9zY3JpcHQ+Iik7ZG9jdW1lbnQud3JpdGVsbigiPC9kaXY+Iik7dmFyIGhhdmVTY2lycHQxPWhhdmVTY2lycHQoKTtjb25zb2xlLmxvZygiZ29vZ2xlQWRzOiAiK2hhdmVTY2lycHQxKTtpZighaGF2ZVNjaXJwdDEpe2RvY3VtZW50LndyaXRlbG4oIjwhLS0gR2xvYmFsIHNpdGUgdGFnIChndGFnLmpzKSAtIEdvb2dsZSBBbmFseXRpY3MgLS0+Iik7ZG9jdW1lbnQud3JpdGVsbigiPHNjcmlwdCBhc3luYyBzcmM9J2h0dHBzOi8vd3d3Lmdvb2dsZXRhZ21hbmFnZXIuY29tL2d0YWcvanM\/aWQ9VUEtMTU0NzU3OTI5LTU3Jz48XC9zY3JpcHQ+Iik7ZG9jdW1lbnQud3JpdGVsbigiPHNjcmlwdD4iKTtkb2N1bWVudC53cml0ZWxuKCIgIHdpbmRvdy5kYXRhTGF5ZXIgPSB3aW5kb3cuZGF0YUxheWVyIHx8IFtdOyIpO2RvY3VtZW50LndyaXRlbG4oIiAgZnVuY3Rpb24gZ3RhZygpe2RhdGFMYXllci5wdXNoKGFyZ3VtZW50cyk7fSIpO2RvY3VtZW50LndyaXRlbG4oIiAgZ3RhZygnanMnLCBuZXcgRGF0ZSgpKTsiKTtkb2N1bWVudC53cml0ZWxuKCIiKTtkb2N1bWVudC53cml0ZWxuKCIgIGd0YWcoJ2NvbmZpZycsICdVQS0xNTQ3NTc5"} -01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1703,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":146,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385140171515,"flow_src_last_pkt_time":1654385140959776,"flow_dst_last_pkt_time":1654385142015753,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":424,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":765,"flow_dst_max_l4_payload_len":8640,"flow_src_tot_l4_payload_len":1625,"flow_dst_tot_l4_payload_len":79973,"midstream":1,"thread_ts_usec":1654385142015753,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":331,"flow_avg":100756.4,"flow_max":591706,"flow_stddev":157338.7,"c_to_s_min":379636,"c_to_s_avg":459989.0,"c_to_s_max":591706,"c_to_s_stddev":93886.9,"s_to_c_min":331,"s_to_c_avg":63594.4,"s_to_c_max":380392,"s_to_c_stddev":108044.9},"pktlen": {"c_to_s_min":490,"c_to_s_avg":607.7,"c_to_s_max":831,"c_to_s_stddev":158.0,"s_to_c_min":1267,"s_to_c_avg":2823.7,"s_to_c_max":8706,"s_to_c_stddev":2208.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1703,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":146,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385140171515,"flow_src_last_pkt_time":1654385140959776,"flow_dst_last_pkt_time":1654385142015753,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":424,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":765,"flow_dst_max_l4_payload_len":8640,"flow_src_tot_l4_payload_len":1625,"flow_dst_tot_l4_payload_len":79973,"midstream":1,"thread_ts_usec":1654385142015753,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":331,"flow_avg":84919.3,"flow_max":408625,"flow_stddev":132393.4,"c_to_s_min":379636,"c_to_s_avg":394130.5,"c_to_s_max":408625,"c_to_s_stddev":14494.6,"s_to_c_min":331,"s_to_c_avg":63594.4,"s_to_c_max":380392,"s_to_c_stddev":108044.9},"pktlen": {"c_to_s_min":490,"c_to_s_avg":607.7,"c_to_s_max":831,"c_to_s_stddev":158.0,"s_to_c_min":1267,"s_to_c_avg":2823.7,"s_to_c_max":8706,"s_to_c_stddev":2208.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385142293700,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":517,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385142293700,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"119.28.164.143","src_port":51888,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_packet_id":1,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":571,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":571,"pkt_l4_len":537,"thread_ts_usec":1654385142293700,"pkt":"tKXvZygQnLbQ0+MzCABFAAItm2FAAEAGvpfAqAJ+dxykj8qwAFA1Ocr3U6+amlAYAfbg8QAAR0VUIC9xem9uZS9vcGVuYXBpL3FjLTEuMC4xLmpzIEhUVFAvMS4xDQpIb3N0OiBxem9uZXN0eWxlLmd0aW1nLmNuDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpJbnRlcnZlbnRpb246IDxodHRwczovL3d3dy5jaHJvbWVzdGF0dXMuY29tL2ZlYXR1cmUvNTcxODU0Nzk0Njc5OTEwND47IGxldmVsPSJ3YXJuaW5nIg0KQWNjZXB0OiAqLyoNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NClJlZmVyZXI6IGh0dHA6Ly9tYW5nYXdlYi4xa3h1bi5tb2JpLw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC45DQoNCg=="} 01226{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385142293700,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":517,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385142293700,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"119.28.164.143","src_port":51888,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Tencent","proto_id":"7.285","encrypted":0,"breed":"Acceptable","category_id":6,"category":"SocialNetwork","hostname":"qzonestyle.gtimg.cn","http": {"url":"qzonestyle.gtimg.cn\/qzone\/openapi\/qc-1.0.1.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -854,7 +854,7 @@ 01280{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1835,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":162,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385146284849,"flow_src_last_pkt_time":1654385146284849,"flow_dst_last_pkt_time":1654385146284849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385146284849,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49396,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/00dd6bfe750c02c8d10d7112d143f322.jpg?format=webp","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} 00909{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1836,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146253018,"flow_dst_last_pkt_time":1654385146458654,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":351,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":351,"pkt_l4_len":317,"thread_ts_usec":1654385146458654,"pkt":"nLbQ0+MztKXvZygQCABFAAFR8fdAADYG95QOiIhswKgCfgBQwNwlgdAMRlWmyoAYAHrh2AAAAQEICpoJIgUeulbiSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjkuNy40DQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI1OjQ2IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogNDU0MjYNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkFjY2Vzcy1Db250cm9sLUFsbG93LU9yaWdpbjogKg0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0yNTkyMDAwLCBtdXN0LXJldmFsaWRhdGUNCkV0YWc6IDhjZTAyMDA1YjJiYjVmYzc5Nzk1NTc1NmIwM2EzMTk2OTI2ZTc5OTYNCg0K"} 02472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1837,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146253018,"flow_dst_last_pkt_time":1654385146460775,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146460775,"pkt":"nLbQ0+MztKXvZygQCABFAAXU8fhAADYG8xAOiIhswKgCfgBQwNwlgdEpRlWmyoAQAHoGUwAAAQEICpoJIgUeulbi\/9j\/4AAQSkZJRgABAQAAAQABAAD\/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL\/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL\/wgARCAI6AbIDASIAAhEBAxEB\/8QAGwAAAgMBAQEAAAAAAAAAAAAAAAMBAgQFBgf\/xAAaAQADAQEBAQAAAAAAAAAAAAAAAQIDBAUG\/9oADAMBAAIQAxAAAAH20E27BKcXAViJSJBAEhBIEEgQTAAAAASAAAAAAAAAEBIQABEwAAAAyCYGXpdICAoRFNwtkoAAADMSVVpqBeaXSmYkJglIAAAAAAAAiQIAAACQAAAAAAAImAAAgAABsACAAi1YGypYShsBVi2AAJAAJku6gAIJgVglBICAAAAAAAAAAgAAAcgCAAAAAAAAgAZEwAAwCBkTAAAXiRKCQIiasYAkAAq1B1ciQkiUiQCQBAAAAAABHBH348TWtPcnj9iXpIw7lmTAEkASEBIAEEBMEDkiQAGETA4JhhEwNkrvMyAKKMAraoOxAJQSXF5kmJICQBSRIAAAQArL5Z36Hy8UrVkpqnoEMlN24W0\/TdLxXUM\/QCrTncBkkCArYAAK2i4AAilwFgOiJhsYu6VgFIAAAFSQdLxISRIiJAgAYRIAAhDvOu+bnfmvalJnNLC0l73E50VemP06LGdLmaDHTMFRNYhVM0AZFAGXWwkAEABQtI6xcEsut0yVXSsQCkqAANzMSkAAABAAQEDkgDJx9ua+jJze9zsq519KVKk70Bo0q68vDsTtTZsyJvLSitdH1LZdyzXVoJJaiqSJCzU3aYRJESQEgABATS9BzathAAUtIAABS8BJEgAARMBWsVm2Cl5vi51ZuvXsZs6OeujmqhJl8+0EdHLzxdsy0Vb6VRS06eXq3XR3cdyXUbyHzPQSWUMtFiIrcCs1sOYkEEASRQL0IKm6wGi2EgAAAAABEgABEAmjO859smtLOd8Tgex8t2Oin66M1LXQ7fRjVuNtYGKurTNb+DdjWXdk6+tS1kiH00KJvS7yU9Kh7SkTM2rcABorMIraYHUuAuGwOrKWFIDQAERMBYACllywqK0VJ59Zipkq+V9Hy9aw9Hg9zdc\/cnWFc3cuLjdXXLha9EVOLVtTFchtdlbVcqHLWKq52JSM0rpWk1y2ZpjEtM5iQUQKG6c8g8iWgAAAKlqp2AaAEAAVVaYqqyiay9I3lWnm4Y35dF6Y85kG\/V1nZ7D7LaNvJ1IkmIlI9QzKHP6GbU7vlalCmMzFWOe51pbldoty\/PRz8nrZRY1dKm1Nc2rM3MQsvS9LjMCGpAAiRFCwnIQKaTWXF8T875PN9BzFzu6eZuWxOc59mY9nzek7Z5Pf62Xsehg6OO+jdzdTjUp81mi12p05QmtHQvzFHouj571riMHUiJ8L6LozpfMs6ueuO\/RRyZ6KL14WuSvTjpztX0XOhLRXuBkRMBJEgRMIAAirKjOb0M0JDVO4OpiNGYiZglr5mPwnXHtfEev5\/ZHFZW+uXa9X8899ydeyVsmk78yrO3l4TKizC12uvRaRl6VHrOVO5SOrWrSedn043vszp6EMqhvltiTjdHL3bZt\/bqW52up1zUUWiLAABEgAAAhvmonZbkXjLqP4PoODsrMmzeWjuyfhnx7fI9f4\/ezkJ9r5O4zd\/hQV73fxup5fdptTJtz8HteD9h1PoRJVM3YcBHpb5daxVj6VVVGHFaTqwdA6cet2ZnUwQ2Y5ufqomNbsuvTNkRZKbiE9FkXBgAokoFgAXz+qJebyeiwxlye4\/NehpQ96Oz05uW3ksvs\/"} -01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1846,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385145219802,"flow_src_last_pkt_time":1654385146051643,"flow_dst_last_pkt_time":1654385146466639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":1052,"flow_dst_tot_l4_payload_len":96620,"midstream":1,"thread_ts_usec":1654385146466639,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49354,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":360,"flow_avg":85143.8,"flow_max":831841,"flow_stddev":181255.6,"c_to_s_min":305348,"c_to_s_avg":568594.5,"c_to_s_max":831841,"c_to_s_stddev":263246.5,"s_to_c_min":360,"s_to_c_avg":47955.3,"s_to_c_max":413644,"s_to_c_stddev":103384.3},"pktlen": {"c_to_s_min":592,"c_to_s_avg":592.0,"c_to_s_max":592,"c_to_s_stddev":0.0,"s_to_c_min":351,"s_to_c_avg":3286.7,"s_to_c_max":10146,"s_to_c_stddev":2484.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1846,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385145219802,"flow_src_last_pkt_time":1654385146051643,"flow_dst_last_pkt_time":1654385146466639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":1052,"flow_dst_tot_l4_payload_len":96620,"midstream":1,"thread_ts_usec":1654385146466639,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49354,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":360,"flow_avg":76988.1,"flow_max":831841,"flow_stddev":179465.8,"c_to_s_min":831841,"c_to_s_avg":831841.0,"c_to_s_max":831841,"c_to_s_stddev":0.0,"s_to_c_min":360,"s_to_c_avg":47955.3,"s_to_c_max":413644,"s_to_c_stddev":103384.3},"pktlen": {"c_to_s_min":592,"c_to_s_avg":592.0,"c_to_s_max":592,"c_to_s_stddev":0.0,"s_to_c_min":351,"s_to_c_avg":3286.7,"s_to_c_max":10146,"s_to_c_stddev":2484.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 02483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1850,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146470951,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146470951,"pkt":"nLbQ0+MztKXvZygQCABFAAXUjohAADYGVoEOiIhswKgCfgBQwQSWIbNSmarBiIAQAHrnQQAAAQEICpoJIhIeulb6KGbrQ9NgAoPeIQXK8aNsRvWmWOG2+mJUfVc1tOfBUFm08iHXJpNv2Owf5\/8LnH1ete7iHIgeIQ+NvC5\/VL\/aRL84vFpH3hpuKGie89N\/ltwx+Jf3dMlyw07W7lY\/ANl1EAJvmqFKZxvNP\/7dp2qkMzGNaCj8Doc1sJJRQQ+ao9WYQoMiZ2FUxVUX6mhkQjNYtI4Xmy+wKkhyEHukERva96HY\/dXbvojGVj3HwIwCL7Uu4KCXJCOxCdfzRsyBCPbX85Xo3\/0i+EMzczsTrgKFypwzGJAzBLllK8mrlen1AbXKws\/iFuX9EFW9oTIIiG0ZW4bG5oE4h95E6fNS8I4kaDxPobJq1QBkoPqrtXoiEHjpKULTrft3zYnFpDwQu2eTvwy15CQ2tec5f5m1CtyPkJ8oKSdO\/aLi94jceiOZXraTb6+VbZVTT5v7KqPOtYsl8CgtLKBY9Ot78tCrSByNPAMDNF2pyABksBqbgNk+1a0f6z45tFT7oVWfhgbXl\/on\/kQ2tjjIKII+MrdKpU\/7Pps04g33RP6S4I8ga81Yz5R07ZIyJT6iuback6Gsu\/EUAaiVehLWhou34+zaMkfX4oW8nsmfVHl1TpepxDvzCEYnOi4OxvRscjYz8+bDhvRI9oB6DKa80JOZpGqnO4SIevnAUQte4KcbZKPz6qauxFKMjOPb+Fi92JZNBzuBuVci4AUSISUJZ9pDO344tYqlcxAnz5Lub9aL3azUFNTDSxweDEjd8pW4pwan1wijpkqLHf0vi8uNupO8FH0kib57l4ZodhscgY1lQi\/YP8qhWC\/Ub1YGeDcgEMSVmhxKOxrRmEMxZJH0\/SPVC1Q45KguC3L2a2vUkm\/rWbFirVKvRVj2Z6smUDwqdOzzvBk383pjRzwKiZn+50Qqi6vXyDKsGTAy7P8x6VRpnIzzPW60jAuNOX3Z8JKsQSoQbU7WWYxRsEMq2vDpEdVZDnVZhQNpQTkqwDBMcvnxKwGz371ROj3c1NoOOfCqOGX6dcQUiRIk77k05t4r7lBDoi3JaCOltfNkcyuik3r+d2D8rJRDa0aEaUWI7HzkzGE5xCg05dBJQ+GbxLjA+7YlokrbWDOVI5+7T2BJvj5Z2gSS4bQyr5V6clNZrOF9yEP7TY6KekfQFoBuQkiruOmgQDE3GJilpZpNsJut4YIT7F0OaRSKrHaXWfoS4Pjff1AtIHgB\/bHOLbEtnRDxHNLviswASL0Q8jLLlz3TRCqT8v4o7cRzUn+2eKJxSTko0F7LWInRcpNe9+Y+33MXMVaDAOeHkemly1HrRGPpJskPnYelD9BE\/N2ZrEmqz0vzx+lyA9i46mr4QvLytJqjP9O\/HSqlA1Kx9fxOAXNcAxSgUCEYxWhNuKuqJnLtxuQZR208YZRatEdYzf9DdIBrZeDV9KCfxPH6XHmKZM6Tw3RIrVgIvV1ORu9gNP4ZxWngguwIFKkqm\/QJwvcuq8ge\/\/zWwxnlXlHBvEJwP5OtKAK0XftE6rJHP2e+bJbxwmb93eYXIbhGdyhKZmqch04CLGO8ZQspqifdGuUIlfUuJjFC7hqacsNLSVicuPJzBOyU2NXprEYWc\/OZbxibYqlUXx1QnIHQ5VZlumABcc0\/1T3FfnECTGn8GRjjkVVUZpIueMMQIx3l8RzJtDm1\/VpZNOhOyDZV1UCnbO7S2SykG2XtX4RCuY7OXA8IZ2JnjkHuxMay4A3uSWOFpP5WNNUcHjze\/bYJSsUoGQ\/ieU17tPeq+kN+I0skTj9BNmaip64x8FfSWbU+sFOV0QwBozGD+Lr+4Fx7eGgUibMhfEp33ZyZZa3ve8AZrylaG4wCMpTMxS0GbDni7A5CuyPiGXxt+Ero\/x3NbA0EZstWz0F5lDlbQrK1AfXK7WKby1kb1HGIl\/BAQCaQBP6s"} 14193{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1851,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146472685,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":10146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":10146,"pkt_l4_len":10112,"thread_ts_usec":1654385146472685,"pkt":"nLbQ0+MztKXvZygQCABFACeUjolAADYGNMAOiIhswKgCfgBQwQSWIbjymarBiIAQAHqBoQAAAQEICpoJIhIeulb6tgJjnFx8hVIwXR4iVS\/qWz5n+Fxjae7ZlUqBpnRyPdUMUd+QilKzXl7OrNKxG+xfS7TEH288LHzxu8ZitSenHMt52H\/QkEpV69+4AxmflPbcyhYuNqtaP02igUNEXeHnE\/ugkiQLtQdebb8RWtY9VsgDPz9GUtPkZLj16g263T23juO9fsws38GXyF\/QUkl47exxYxCkNwjcpk2rfKmm3nQg7N6W0jqeFp1mCVWfSdnf1Y7Ic0aAspDn0dYX7ERrxAbYuaTLxEKrjn9xjqvkkkgS5vTMQo\/QuHb23Cix7tuT4Z1trzTW8hydtgFvdta227DotNH3yGBi4f+L\/4sXuucsl\/ZYz2EwWxq5jcSLqELfJHxFWvLyS92f\/OP922wdIMEUfGBrUGM\/B3JtuZ3WiM5qe4JQxMfqsdaQSk4KNPI7lDEQlXw1h0iteFlx\/\/sbXUFb7a6zxAGqKLOfVJ8nwgmuJ2JJ7a50wGQcZ5nLknIFyLr5KlKTMbvqLWFs2LMvOv6V3ngFYSqCpTCGvq3EMOwjXIRIIPG0xirKad\/WrPQ8qnK75ee\/4IVUZVYuQzRd7olXfWjNWoMU2XKEWOHVqY0lXpUYEDS21smZjZOKOEbaDcPJR3IR2tSF8v7lmhDnC7A1Q\/ZMUecW1YHLZoxctM+TtOWZT+8NOrxJea3YCm9Yx1kAaAeNlJkXZxTsZx9fiGRUsKJUp87laAJvDIbOMmd8r1aoYTkTFmU\/sSJ8mQf2rPRf1eOXfHgrWYTr5hLNs7M38fDRwMZyvGfVF9JaZJr7oby8iyXNXc7zTY2L\/7mbvHkCPWlgDez3Db3GmjmR1B4zzKCnOT+ig1lwwIJo1WP+cxiw7N2K9r3vspvR5Vcuvuh7tgHpWqmAWhI6fetLr\/c2Vl0iiMIIre8vZpLEHW\/nohVeVVUderzf2dVhF2EtWAMquqz+sXVK0WGqetxa0ic3Oqtaq26N2z5MTbOtJmKxpBzaXCwnIzJfbkvT7NrL2Wy0YeTpBNp\/qObq5eeNpmjp1rcehffZdHdR\/PROFB3yNO91UKg3br6J36EchQjn+HHAfILGeZwZXM7g1tOqRvHe74tZLlvy11rPmfX1clEcNLCqdrXEZs6S1hXdICGrhpqkYawHpcEPmYXJpM3IoQIL6\/UfuOmin8lEdLYY6JkRJggUKNF3GopOMtqlw7cN6WYvnHBpqPv+d126Z4G+wSDqysaWGFBAN5NvcQbJbC6Ll61fYucNIkqNOL0YpI0ckzNHkzp7ppuY8oO9Fo0pVc\/ohgagsAS706RZzqtBM771ss7i6ivGHfRBZEjjDIPKsv2Sde9W91iB5ZG1lvOyoiXq+e07SLSxfFtviLdcctt4TbAeowmTgePDz0y3L9AurZZjU4HIorixz5KJ77M2+G+AlWnTOSYKMX0u9tKolMpL1eyCxnoAOfARlh5LFdSrBlImUb8\/QcBlj5qeZRDZQU0B+EzmE+arAHNjN51kGTW6D7VQMJR7u4gZ3CgkHpJn92AK61mPx3iPbbQMIpDgyBDREkqY+81rw9F+VEBGuxGn2OHvqi\/vOzeKm9iM0LloHBhmNL2zynkkneVPICTPD5SM+wMcfYdktvf7olC7djwltDQ1vQJ\/I6RAWfvx2ILm38PTiTvZIBEmYnoBQhOQ0E9Tb4QLfGTKne4btkpduZDgVkqDxDm78xzn71taOI7rLMzMH0SBU\/TziyBk+2oShCxYgmdU0iKDT8r46zjZTZS6v8mEtsdjmBbH7cPpyTT7gKEtnM8zptXWSIhlVykpGlFGFVQescLnpMRvIoRiJxd6HY25i8Q8badO8aZYOw0ti21cGDZu\/crSHqlLbfNys9iM3fwPZY8F2upWh4BROkh4t+NK7aItRWXKGLcjiH8o43WjkrzjhZ62eQB5Wlcc+8CD6CzKirazoV4LzmmyoNOd79K6CEyxZs7LfkoWUz13vIVl5saV+gwv\/uDP2Ytl2FPCGdgA\/v6tuERAYkXOh8gIh1RlzkPREpEf18veddCRJ8z6MI1K9LoTela\/e9o2mTY2e78QaKnXoqh+gJEKGbQQuqA2rJhJstN3uX\/EaXiA2PLbbBotmQW0YcCmKQgJE\/mvmHOw1Qun\/4swBH6823HVEWmKBvS0oVgAqI74vcVeVMBLwWco9z3HlrXT3tEaneofEZozkE7cn9vQB9DnL+4knS9sv3ucRAaCXIaxI7xyr3FbUUZ5Rzhe0H\/cYTVgieCFjpL\/MHbGwM8eU85\/OtgxMEUVvx+FYdQ\/Xus4ZI3uf5Sccum7RwRDv8sIndEhRGPvW6LqHIsTfNccr79CHKeIR7FkuijEUaO\/OqYmPbzQ9YkqFMB0+Tu2de\/pxeyvudZ\/WVSNhP43OsfPzA72r+zg5t61EFhlrL5bWOOEBWzBkPF1I8X818Sf5\/376K5qlegKQkwXbKRdlJ+dBlPBuUql1J0vaDbHbdtkri1pYwK7wgzini332ipIKeGOeTt5wWKs\/UJc8BSkGmhIG8Xe4f\/NsV5rrZCacV9nG2hTZxgeB0tylrutu\/sCHQNDsVGkcvI3gBB3q\/0vTOgej\/JcQ4b1+hotEGJylJ+eyNmc8vorXCiSHXRHzvzK6jk4pp+0UjXNTxLiHVg4qUFAuiZDIaFzX4O6D8VhmHlbVkYqgJqOX\/uGR2w48wcRx9Vc808nXu61mwFTYRoiQq6\/ejhNCo1BFujUS+hAxzQetpO\/K5aXDdT5Q4tardwiCey5R\/S0MvN5lfkF6zaPhPSYKgg\/PVYZCAciZA3MsJgF49NaKBsik5yEhsb0fgHIH4GeJ4dVGypxdg+2R4daILk6+rl5UnRJPB7824ueIIesQbwA0lA8APOM9i8n2eIOONbuW4Fch\/s9RoyFD0e4YfBpbfMeHceRyVw\/U8NAA5miKE7gJ9GuxC\/pLi8D+krZcFlG5qjZxha\/2jvFLl0bUDdodexooW3iKcNN3NfGh0KXY0d1erClHiGv\/E2Ibb5QUKKhz1HCVfievXCuKd+iXQXwtn5XRQBAaoXdqYslwAQowDTy2gnBMtD6ROBrw\/dyxwRv6sH1TAiCU27nx40639\/Kn+\/kwQflJnb5sjgxAjt821QivnJMxkYJXQSes9hrIx1+nbdW5JwYP22DoX\/Iaf70c5QuYAq3SeuASr+5zuspK2w5qYnsSROZDDRK1QTlHH6uPedRlv9zXiHIQFrgkR2ksd74RBk+t2ovUESSY2bLpgp8wt6Rc7avWpejX4lK\/vTU+HrSv009gZNULrkFU9\/s6bchhE7dkLoaS9\/GzcGhWo3CsP2t0nCGb\/Td2B4xrEPMjPUmL4ec+Izyi00UCIQHdfHsIo6Yd9+hdY7bTkFVVpPGwAIAMYFlXoP+4dIvcw0SwDKskFVWrE53M6bGPKkMA9fESSRf2TnVsJt15VCvXBWWkgs1da5ZsxB8Hxz\/dYLjutOpGakDlN+mjMre8L7PKV4IjOXfFHcklueZlHFfMiKOoAxAnQsxhugdCoiNxI4bCX\/geE0qtc5uywOU\/zahO8RvxDDLxVByl6CpsYll7DpRqay8ia0LpurHZOx2CQoD15zpPDCwpCtrdWUoyRdrGsxmrJ2BOXmiQvThstJVPjn7OD60GBa9VTfhetSOE5A33Rrn5fog05TTsAblGiM3m9yb24drHjEj4HLA0FzYwHEpoPH2DAxRl\/HcA1RuOiYRnNIrcG7werbjY1M3Sa327qYs+3pKFYs\/a35vcUkW6dvfmHWdKRgkl\/lQ8+agNAxx7ytNkTHTtIqy7B8vZAL8KUlPxSj0gt6f0aahHlR4x8+DpVQ03HO6DciE1DtOwpSAVp71Kx1IN67DvbZE5puszzpjMOBMXrHN6EAiyiDkBLRIljHommON+R\/R7kjaffp+gcXAJOOcCJgwyYulXqPEcVjm1lVMWAs1unY+V\/F+uNEJlU+n7ycALtMx8JoapYqpZ\/YERl98enXpnS4JSwG+uXe5eti6wMKtUHR0CpD0ZTaMF8UeGRH7e42Bzv0p2Tu8+lmtnPsKgFOqy4qM8flcxd6FbT51bQmVGBKOz9hsmN+xzNeSS+G06P+gRajneelM9Ml6rshA5Ze9XZNevJ5URGA3+\/4zmL4ZChYcdSj\/dpBrk7KKsyykmGEDSTp0wnUcOoEbwOwdwy0yJSEcPdp5r4I630fJq1ThajSOsveqsNFTGmChRopw616UtUsJ34ZHIEkewDajBG9ciLWIlp9JmiNQA5sdS6h9RnDTz4gD0aZFiDLoQvN9kPOuOrWZL1brHSxQcSnrfMBFNQDS\/T2UGyKc\/3NhjlcLneltmMwChouJwrB1wWnIC01Oz5ybtO8pgf3mNoiFgyjsWkdAUm\/Ilybd1rbLiMUzw1mCAstjt4EOmL7ov3wAjxxXQps5EmW554KBvP1pDfN2rrVJj8KZ39yz2IbgzFEgyGCjwvymAdcelaUJTipIuCs9RDJdcgmqgxPTZvY0sCT6yaegqEtX8mPz0dFB1wQRMIMB3iywLf+BD8w2hn9fbF88bQRFOTjbN9RJAZwgsHlzOUW0OITmS8gMTFjKFJXyDwGQs4V5LS7fkoeavVxpcEnLxnIotXgNPlS6kU3L2b+eqbGq3yEqaqKVaaCBZKDHd4RSvx6acZ5pMN5tixoPl4VRZTUbncjR7CqssSBkstKemgBJcL5ptv5lHRt8KC8r\/D8drxpQU6SzlMe8Tdv4CsPsMIr9ShohN+dGdO\/Q+YZ4MlJdXIWpPVis9KcBa3BMSAQLL+wlyCrC1DxOauyiJX0pZwmBAP3uFWYpTYr755AsZF7IZSWbLH99OcdO6P4QCsINoDJupHWX0kT9\/ILwvpJZdiJQ78usj3ggE6ufPm5r97uptNSwYWvSBqmpmh7Os4JXPxuC\/oYA9qP+88oU+8sIO935wIdjeKeCSU612zzY7tJRMPJqwyaKqX3F2Ml4mDMtJUpcDHDxd5wHlvcRljGERWhx34qQJ0JL1LapC2Yuq4xWUrbCUWIVjCtmYEfa\/GCOhoSh\/4je8dI1vcbamF7eNP7KRXq8\/j7\/0nPmbGsfJ87rF4KGJE3MFdoClkAlUUrRLaHhiG4eZ9J4RLozN7GBOCkVWWHN5ZAcZUx66oyu0r3mEpWpEYuxlZEtQ0a+RcselQYXz6IuCnJGCHSF5B1YQT8dtCh9Y2xHMplEk9aMjzAZ5TsQ0q0NkXMybToCx5ubpzAZVkBaOnBDwCW5JzH3qkO4m1Y8AzssNxnQddR29gzWPYQyg0Dcxm1OWwVAXNJ6\/SX+S4aDPDV8ymCuPPXQzFDKaJwJOJBrmrARsHZLfI8bbIQ48Fh4G63fa81NkkjBQxfp9npgdy\/bdQCu13ZEFuauYxibrh62hDGVsCl\/5SGVGkTy9NgczZgb\/uar58fVvbN7SIf7HV8afG1gmewssOzVfLq0EfY3Ny8+KiXGGbDHWzNN+mc76\/nymmxBGf58LS4248blw+sucBQGQVLLDUzJUq6oCJofVMo41GsNYXtH6fOPynAzsThq0D8e+jjNCAqLVtm8ZFeahT2ZPmol+LspHBXCkp\/yVPnNsRXEIy1hHfAlZS0eNlJe3RBx3FXhymlEy7K44Tcf5Ni76LhiEOGvYVTVMa27PUfsI40MkT70x7ieJ6FYRIKzUIbAeMHnpEkcHFPy4DbfR3wCD0UChKwSlx6Kady5x470xmBx8VRGz7irKrOxiLKUIWgrzkoggeZwA+lAGQDrqHT4AOKTC4DlKf9XMt2yEfQN1DUxCliAnWe1v3AxbxHAnyrrdBz6rSSe\/EJcFEJPHQDm+UYHvApVKxi\/gRer4sQcA9Qcm4hgZstp4uGyIRjL3SbYY5uAltDI2U+EomQE+SZc99KHDAr0k8k8hb9Gg70cpj29qmGLTPb5l\/3DHw3hH2ywNNERWgs\/V2+UZND4pdNNwRg\/WA+n9o67rtYl6LGQao0ud4GmQNsHYt2eZIgivRYvM3TBPzIaE0iufnYlLjU5EqGxmZxYs40fwTKrnZoQgbAPIbIFFZg6BoCWJhCmgJD78iD4XdzxPvjyshu5A2Z2bNVwSD1OLUxDVRqMgDlcZKJfm2T44YKUT52rhectH4b2OTCH8c1O1WuFpSgRsi9xHBFQHaShA1XiZk+5tiBMMFCLFcC4MqRhIryL1Xt9kVjVw+bLo7UNTs4gMlwM8op3FwFU9JdV1TUw4911Ic+da4z2g0M4eomEnD16ypzV9YvE7PbfX4mG6DIOC7sus4qkeLeUGh+og8npF10LZ6uMQ7NO1jiICa74N4qYd3biZ2PKKCUPsRwiQ8GC4+aFT2\/CElHV9Tus86MeNo1mbxN0MelU9Tv3Re3vPhxieigjbNNg7c8NH1lbKWgphzZEQvqW\/1D\/3eHKWu+1spZcYRk1Cz9Xq47QMTDt1ObhcMRa5MC4OOHU9i+rgy4fH6BSRbTrht3nvfqMzfW\/xgs33D0hwh1eVnBf0PGbhUThT1lBj1exyTJfY0HWfjSfQMcp7I77rxN3+YWgUHV7XikoArasQLBJv4w7LEHyPYY\/+Vj6MwrFWHNchEMNzwTrvd5gF2snhY5eOtRIPg+818Q42DU6OcV4f8vlnYUQXHJ8SkRn+4youn3U7Flx6hzGqd2Kq6kiCNHucaRMmTmTslKYPmix\/DLodndpVGjrAX1amNgwhKlXOsAMB0\/QNROKmcB4zyic9xrBg56IIaTIyKlzKqtQmPzvNxhGKlRMnOEmeJz484gugsUkGQRSGZsTn752c5fp\/IEqJ8uO06Q2Vk9ObzNlHD2qPgNr3K3prb\/xFlwsiNhd3rnU5zIz258tFai7AkGw02iNoM0TXj+mXQMzdOfh3mJ0aCjK6QIj06WOb49ENoiSpchtn\/rXre0PqCm0oC0LPzaEBWDuGyE4WXyH4B7RRFmEYW5slZ9NTVAoOblrF12bwGWUWZDXYeyloF6n2uG\/o9NeOXOAgOMUn6Qv7n9BuhyeC2CiXSHy9y1DZpR8fSv4tPvT6pSWBaQzn5OybvIa4qPoDDAr\/aevKfSF2fAXnhgGWBUOOTRt+hLhFaJNdtqvRBdx51pBwyIqerZQgU5FRr8SgKQNR2Y2UhyDv23ipzi5YxCcOTZ2jTSqzkEdi3KYA\/wG2cHQGq45NoCTDSnVcPFIudxM\/3a5ry93rXYJZAqX2xeRag6MeTog5DxqXTWxNXleuzrGrp18MJKeuCGoRELstSBk\/OXSRnOOFYAISrRtIKiI1BDl2DG1FmmhToIftE+V7CVluP2754NMSG9uzEeQs3I3J20AiKP212JKOjSwfMFHbTzB6c\/OS\/Dm0j1XZljzAYlUs\/kR1qNINEaMAzMk2pimuLm1hyN5pCk7gZCbYyWGF19\/AwcjkwRD7ghvW+nZXFjdan8PU2wH+591yQMbZ4MbTPbDRHzTL7S+MBYJ2\/sXwg2MY2ZLdztxWVvTvwKnb4PuBIochmxGSp1IXlXQtqTgOX5IOA87fk9yU8i9gc\/SBU9pLrPV3l7cVmIltaUP1TvVwUXppaij\/K5aaC2mJHbFTV4B7kJBIBm8TkDKSz4XSAvvMjAepqD1w\/bbYOlro\/h5d5JOSsR9PyLluINE\/74JuqI68WT6pjkeMox1U3aIghcOOrBvzNoBWC2zU3s0wAhOhXJ5utKtCv\/KPcWNPLlyQqVLFYwGgRuUQqNX0zUfdr0E2gdcPE6qpwGANOs9GCCLDTiiLS7bWx0EfgcReMav5+JEGXSdNByKxrvNDELfM2q+bwY61CR38rzDlmu+d7kCAJE0MfDfOLlvE8jPIcfNslyerg2Niox3zzOOsva9xFQ+7GfKZNfnjZtuNFyHUvIFbrlEpcW2H3B5GCMp18jQh8pWrdZczJcc4Aac0gIh\/f+5s4pgV0LPnYCY8HlcVR4B4j4rf4MStSEHzAfZpX\/kYYtsvurzT9EVgYdMvT8FS4jH1W2j\/U2PegzKYNnP3wpYj9CFYKs2jYvLJ6jvD1XhhfR3HRnE4jc6VMq+DDRHlKhG+mti4SyS7RbgLoH\/gHbyMTarFmt2bNHYKgQjqXC0LQQBv31rntuVVHOOazc1DgG+ROX4T5TvwQs6eGOsWbdrcKWpAUmYroutV5glxQd3vGWZ4LdHNLGKqFDSFYJ1I0CTO38x\/0iw1\/MjeLEzEax+jzi2\/wKhjbPMsNk8t68JhGz+VuwI+Z5Ej3HZjM1rMIfExPRP63c49wg47vGSDiML3Kmr\/StRE1KB\/dkvjdDFkp81ryiM0pXrciOaFy7FbL0Dp3fZxLadEpfIvFfiC+mJ2Ig0nQBpqbcfxtk+uFym\/A3yclkZJ8EsWa66dmsk7IUIuXnp3apKNGJQGgbKfLFoWVWK9YsgIPRVOO75R7xDUz9q+\/wdhL6Bvp4iVjP\/YAR07vo9gAmjCQqesZTMhTVAMuXwlERPWl4wtpF0b5ylA4weK63l5VHHeTekepPlmM2ZPgEhPena+eVgrgDpDeBxLVpfjhJdh2pAkFl\/Itj9E+vplhUX79GInBhWr\/Rf6Tjy0aYfZr0bWyYSBA4lA\/R3m1Twy1xWEASJIZt7RakdMzwqSqsG9lO3ibhG4+RjlC4e4GdCGiyDQQToec08qlMrsb6jxurIYsIGEk0i7kTLCjGpt\/7opsmGBM18NONK6EMJiKHTtJSfE6GUrWpQuY5SLFCm6gA8oYUuWrxKHfQRd\/xxiqUOBihtPkSKSDaltV17NwQz36J\/hq7FSp7FqFWILEjYV11Cz4Q8VPxjhoJHSi13GdXpUqGm0GBbQeg63FDVhJQnw1kGtMib2Yf9xU\/2NEYFFK7LIAJAM2C\/v7UelbF21DXicOd67I3RYOxT1R0rQngFVKN0WCK5NYlT7XyG7Vg7YSWOnN7\/AUvIifx6LyicWi1MO\/4j\/tgTPePrYWavU05+b\/X0YGJw0tiFpwX9M80SUeMxuOtQytXsEqklHKltggwksPL2krZgWHjICBOqob2ykobwQ0UULykY9YgOW56Wme\/aLiUQFq0Q7CcJZ89xJ\/42FYJa5lXYH0P\/TM4DppbEtyPFNh\/67NoELB1LkZzEi9PSKyDlIw46NiRT+b8O5ewhbmvpaPcyjC4QGwhHZzbE41F12Gy\/a+cthlvd2qqfwaADTIaDQaJdI025YNkamWe4oPvNi3l6\/btVtWfpldldFiHyFKr1pGyZMk9EyWmCwq3P2mU8qw0zx4eaidYcuaF11F2nyih\/1jIDMAv6DecOtXXxaC9t22nVGRSN2I8zQDT9Yv+g6EKkg5IoICNkMCVyz92eHyfhPo7u23FiB\/HYWhItSJu930LbuZ16E7PJVHYerZwOmqZ\/vHjb4AV0+CE1EBQsVH\/i2r5kHBpovfS7O+8V08ldfPT9A3jWuRmId2jZeFrX0Y1jW9PPFq3kN\/8Ayx7DJya0qzksVuotjIrX0kEdictLzsbhV5\/0DRM7eZLpfc2JKjGndPrkLjiwchhqshbFfpzbxelwMx6zZvb7VmHdVgFsZB2ze7oFfvO81oB5QZJiUVbpxPx2JNOIx\/pUhvvI87IOIge9wOl382BYu3R4q7BkQ7nVP831IaIBxMgFCR7ue0QA5EdpeatlCYAih6CSKLm\/EIRwc3WEUYMdgE7QnPHHL087HqX\/nntbgbSfLUOAnAXQkrDsSI\/TSAxhBaBv4lWfhqaBNKqEQBg5aP\/h0Ai59KLBeMmkDbSqMKamByL5gQBIpRS9y4DrX\/1ERo9Ya59pxvDSpoLKXesALpxgN9RW16xMT7IlPWcBlscjLpFdFLypa5KLH+JTwfsacKE+sa45b49P3tnkUng6KPAvvPrEfY5j4Ds9+GkLoSbIbH5pITuii2U++Fgyh5URgBWDAKBXhsyZpFCAu8Ej+EFhSgesLmUb51pN1UQjHpHOpNKENl9i0RNhG6FXM1qXkmMu2OfRbi2cGhS3Uag2V3K3TnWZOyuwPzDfHVNY2hiKBItohKS2Toqg3LdwIX4ALpN6jwmMY1vJ5pN8xpvy8BhSbpE+drY\/Um26d\/568MLTQYvxke7bs6JitpSjGt4aTSaLzEFOAlJHpgrPvyGdkbKOopCOalf5VBHqUYEqNlCcQJZGcKuibaA+CKhOcASVH\/dVK\/LKcHrVhSKTaRPzOYsOR8cAZDnbAUwFggdNoyi5AiVdH7pYEQi563d4YRRkaDPChr2MwLzQE5Z2eygLLEUTjZauDGSZY2STnngf\/IFlcIvrZPeVh\/jylOHbUswONx8QlhfQYnnpy\/R85Na3DWMvwXLNBAqERWkZZKomQMIbQIRE0qyaS8pD\/S1iK2i0+KCh9nzrezGe2syhY9R0fJ\/XdWKevEaiI7kaqf1UefkR+nEV5Ton0W3N+LiNBqHq9gt0TY4ck8lB4MOrVIWh06NYI4dqR2XxG3d8UkPSyGsXZLY2DwVVGbGGG3rwPTBOXnxm94DBLqQATM9q5DPAAAx2DozZw5dByVWvjGoJA8EL9VQXQu1lEGLqJYNQyIVCkF6QW+5MjxYTioE4qtS8rNVnHqY4P21Cf03AxWuudr20+kG92517E9SQKKnas+QXUuGUrnpUjVl4By\/KUFnJ2+xdKCPpA+KrtUxlUnhmAvK7qpU\/U5QYVZWIgUVItSRUkOwG5PSUEUhbpCYjr6yl6lY88iNEysyPHFRS9YSqySI0eVc4rm8ImRTMH+ksOCPGH2De5Qn59KEuuVAecGPg2\/Mcddhn3Py+S8ulYnzyXMfE3XFNwHBvEiriFlv0XIjjwyA0r9hXwjK+aNKve2FnBMWar\/l13ISuiDDW9Wbg2B0b\/vKVaotaIqupOH3j6LXyhskiKT3XLI7kub+w00Rn3C\/2vUOopzgJn\/xBSioIUg8DQ8T8MFORO644OuC8Zg2RMpkd0tJgqM3LWCw3sxuSh6Vb4bnbfBDuAymXSjn9qOspEuBCeA1Hnqk6Z7EQbzo0cy649zYnv2ti9ahEUhoAM6L1YzTESZlB15lVjy0qDCdjPm+\/hz\/W0kOxYPfdhaIMKTSj9xaVgzMeNpmM0S5rGQwr3gvyFZt1867yMXPHyrpdt1UNsFQKFZyfbkG32GuCiNPP1\/QS9MzblcB5bksx08NY02uG5jalIPOsl3bAejoidRCqbCltzBCzag4e7AV8mQbO9hTv9z3eezvEGVMUsgiRjtDYdjvfVGBECkbf0ru9ReTmeGO+XvPbgeh2Ytdam\/apmAzbSJi1xS8AmGJUoNBA\/uhYrOfNjLMBec+NJqM9y9hzTfVeV7g8deX08XKP6Wz1myxKm8StLXGSkGfZS4O8ue1F0t+84XKj+3ZDouQUimMXjbIfKPaQhrIbUMK0vNtEpl+VtmSV4maqKwSVJ7EKWx8mI97X35iYPD1tvVSsC+LuPG1sPdvVCWQAiSx5sPOhx+nY9D0WgWtXvsyxMmXXwsz5yDIIG9aKaobKMQUTL8bZhrsfxI8oD2agVb2nqUAjSKOh9zA\/9wytMaN25ANVHe3gBEJur2EU0X3hOY5ITCD6HlgNXujbF0w1pIHw20BLpqBwQEEkLcHAg4VHX4BErQ1dBihCwT\/2cz8UPavHA1vbsDMAzxL7HBUf8cyofB6qUwvEP4\/O8z3KDrPpiGvBX3vGX2DmaYPwalg\/6jfs0hNG48mzt8+KrQoPXg1DYsRhwUShkGdH18juAZnuezGG9WMvdB3335J6xvq5xPaNlLrnyvPE00KysWdfWJefGmFNb2PjVNQ4jPs4ADPpqCp5NS55LkgFbcWZeLdV54Km98\/nNOiq72XXX0hVCnoHf7x8MuDyH5Z99myGbQTEr28pbGOfPXI3Jc\/u6q48VW7Gf2nEAWjg3fhYvhsAxhuosw\/1EaG6p\/ZbJTxd6CN4JLT5seUTCi3M9JEJm0rqpM4PDjdjWIAgDQqDPY76K1vB2PLk1lvfOfzwYGVj3zOxWP0mFhNK94nD7N3RdWWhuPITS4+5DaaxXzX1CQvIHK3CFA7j\/mjof5K5e\/1VV5szNtlTZHK4KZbzNnrMdm\/VWJGF0BrOVYUt0Sbox8qJLr6\/GwQJMk6Qenqonnn0f\/MPHWKYj1T5qszcd6n99XKbhzvW6nsb5wfGdaVhsp0WI+f7oMOfujihusQHk42NzfeiHuuZye5bILBKJs43YVrDT4cJSW6dKJkyg2t0rrscPlPNCdX2lPQIvq7EnSH3ACRL20hMeltlKW6O5c7ChXj+Pz\/Eb+vmo0e3DNCUI9apyyp2e3PgufsUcIkO13EGoqcXkimky1tZgX\/9bmhoxlxxUD7MhwUa3BuDottTACLzOvV\/prJ82LaEy\/UQo153zPT+JiyiUiAubV5ORlTSfUKA0OMLpIIUp7cc4fTDsEA80uypKBtae4x0LEbe+n7ERSTiUt2rWa5b0en217CsosrDNp0yJJlyM50Y6SPOGqvMInpBnZCX4ar7m7Zn4pvvNMmY4zwvG2KltKcdpuRZoVaWabSaRpQFcZCpDOa0fDb76nxwiIzH9mK2mlJ2VXZ35a2mmQVjdIfHxQAD20lwC9v9NtkfHuvd5D1Zomk4+i3C4WCanyKbxgGWu9ey2RAtqmKIAodDCCQCPfDkDQXsrdCM\/GdiC8RaY\/PlhKudY7Hsg9Dkvri1jMKoPWaTG0EQTLgPENU4tW5db8rawHN6ag0I37KiQuV7bX4Us+KYD\/G0wjqbsc0MNgE5TopN83GfdbMHM47m8xslieKIeWwh2yhJ0oDDe+ycS5D3yGepy2vgQj7gcZPpNZzHI8dW1I9\/d2z12KhcP1EFKOVbJ3C+agb7xgmovXLvnNR5ve1uu\/2B3sHt1h20WuMptiUGSKyUWmXjED5ECXcUOtBUk52E67\/Fcp\/1WVIMkNx8FYoRMsHmOR67K+ptMDhks2raXq6u0EVRyUNZ31hfwA9d2f5gfWL7BCev\/xhVW7Vc7Row0PSNajmpiuzsVqnaCAIZY9M70CrsgZ3vtmFqVaU89UJD7q4n6Pu9YGh4K9SDiG1gY0EG4QWHI6lp9FpFfXNvA8Db2MG7aAkeQ1nZaljfPy4SPh6KU\/ocbwtWf0JnzPYS+CU1qKrnG1G4Qo+UzoAWIIORIsCHCthQaxukg3CAu5XzfhZtc3nRZS9IUtvQORxhZ+HSpozkqS5VLdbWAOlsWGIGpkEmQOT4VSvcv8Scw3nEnf5f57Mckwfcv\/48CL9BxG2tl9S5im9NV0esQBS4x4GlPGhzmBLibFPumvGL0AoFt844Lbo7iayKSyKSGH4rNVBladJTlmIwV5N5wMjROgBK\/85+vHqE3VUGS6njvdkSBSy987XyMa161au6wYLeBOKQeGotUtQS0Ln52T9ESjQDQU89uoKDcxpbDZx3cEZSkiDymkaUkQAKRrkFrvO7l21XPFy1VRYVBGst0rDU\/XllzzY\/0y6OEd7cx9YYlrYJfcA\/HalWy2e+\/NJQZ0jg2hXvDZSj"} 01296{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1851,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385146276790,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146472685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":11520,"midstream":1,"thread_ts_usec":1654385146472685,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49412,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/13aeb81a47e7632ccdf1aefee19ea65e.jpg?format=webp","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -865,9 +865,9 @@ 04438{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1860,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146500483,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2946,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2946,"pkt_l4_len":2912,"thread_ts_usec":1654385146500483,"pkt":"nLbQ0+MztKXvZygQCABFAAt0gVJAADYGXhcOiIhswKgCfgBQwORvtMvRImpQ7oAQAHplgQAAAQEICpoJIiweulb6+ZKcD+KnwfgPmxIli1SDP0WB+TC+gZ2zUZ1MJYnOEnfgrEfocekJHaOM+Eztu22jDjbrklrlhsLXwktGW5jFzoZr3Ytu7HRoxyemV6NLVS1v4GRaLHUchrowoMimCyOxZHfNMnA0GNdZ10WtBsw4gEq8H4X8y8f3\/RYH5Mn6eEzqjI8sPaA+ORFtFcdQ+TmjpdZPUsTpyl+nLhU\/9GpHgFqC51W1e7CLdEBDq\/FQ2WwcSw4ZRTbi\/WGpayOUjE4QZtyN0YXULC8rCWHS4N1MsqhVl2K8H4X8y8f3wgnA\/Jk\/Twlux8TrGuEW5nLXTDPqGMQAlYiMJpFjD2haZrB7TzXXPMjVOcqB6d6igpIOmaJ7Y0Mrz2\/yEfvD5pWGi27w9bKORzLvk9ue8s4aiSRSmdLv8x2K8H4X8y8R8w82CiFh+T6YwGSptZ8TjC0FXdnJzdcE9uEyZwnCOep1wtTzpxjxgEqVLJABXHJLpS3bD6ip0PC8K7M\/yCNVfrglIVQ4OuF2gykfOcPmMbjrz6bh1RnUy5\/MdivB+F\/MvEfOMae6F\/kz9fTSf9smb1on3k+Iw7BNmS0w7MRktM8Ff0Xj9teNF8yzhLN9Jw6SBbhxxSs+M6O4bTT17SVdMQjaF+od5bknXbynCwEsZiOD2GyrhdKmNjvU4f8AG3\/MdivB+KdZllzOEugJUa2YWL\/J9aj6bQ3CMt2YfYZsFk7yyBnI7ZuzfktnJM8b72B45z44I7RsxuiJlZCW6LUdmRB1qCOgwTgI1k8kxEblTVuyjGQPDs14YOevoKw+ODo3i1ks4XE2bddW9CQgJt\/y3Yrwfjg64GjfvwiDex7cLF\/kwZyfP0quvVEcRYOMIYp5ETODXaWekEYIkDknM53nDjYsO5h8fopHtsi3VbhwS0xs7wlfY7RrfW4ggHRM4TVKy\/xlLF9ZudYs668Jlec31c3Uc4T6djHl6evUbLRtfynYrLT6x1eC2dIZO6R+eFivyZGSOkc21mpHBAjzTIn\/AMSAFqMsjPuzkhyEJLBGBy8WixGRGPj9CZ0fSPWNduT2zXAXBq4nWNVvTCfY2zMzKo93KeUCRF6QE5wqyJvtTuTQGRGx\/JdivB+EzowvA\/kwsD5ctdc9OWzlwbY\/hrOD0Tni7E1kzleJbw9c6TkztjQ2kFPTJ85GkJslvP6P0PmszQmBvhmsCpmV\/h5i\/wAKrtF9NiRwGbcho55wUuZm1QZNpkDtIp4QJBZux9ivGin\/AJ3YrwfhExDC8D+TCwO8xwl0xEbplWQ+OiXecqXG0mM\/yC0Q1JW27xCupVnhwyNdqtGTB6hU1mIgYa3XkU6RaOBRM7p+gp7ZXnVVY96yCCx1XTFmQz6loZ6wCyJiCZwo+r6JMZNRGntVDWuYW4s1nNM4YzptecOUlfSFv5XYrwfiqxYSXgfnnDK29jq6xf15wB2wMYa4OCHbMRrmnJUYKd0pn3uDcKWa8mN5mWssYXS+kp75S0NFRuwhKCjGq0wy2w+2tc6xMcQnczdpgsyJ1yC7ORsHTkidr6jFgpD+vB\/kdivG2SwV7JLwHzQgnsSsQF+zT0zOQjjEMVjw1haSkSCIifKvKC3mj5Y0dhyZTzYXaZ7OnSY+nXWc6hLZVtLsn02hItxp6DxJvpBmdcW05ScHryidMCdwrPYVhHQPlWZqvh\/wL5OxXhXaTPVs5T4eTzWpdZai96\/dJXUiQ+eG1NuMULl2+GOXFVBmq1wm1t\/e7SKgbUIjtjB3B5nYWMiVDAyzGQARrrMR25zOkcj8wWkqvOVKuOPHP92npNYb2SGVWylvqJyWCWEusWTUQWLpMWbUEJpj1Nflwp2yKgEK58uzhHT6ziEWLnUyjSKtpinmyDXPhX5PSLmemNZ4TvLZtjYws1JcAW4uOUNJUomsWOsxoMaFkbJg5iIk8I9Qh4CFtmqo7zGeZ07Yc9uR8tMiJ+iY7hvIdWRnXLIsDkMHOvOm4d1lQ6yBacLn\/orawufLsV4Pwr5HPbhlxHpzGGCPYCVM5Dw0dMy7hb4EQKWREd\/lAFhbTj\/UlXsoXgqgc4iw4YZo6D7\/AH9QZYAKLGGAZan3j45a8jnvynzGRGn1V3dPItxhFUZnpBLJE0yLhzcOf\/QMCqI2VfjnHYvwfhXkvC\/moyXHqNcWyJH25Z4YBlXpwghd3It+SbIacSD9e5DuGB1I\/DDh1lrQkmTqSUkyJMYzTc0y6jfonJ7ly\/Y\/VPhfyyMGJmatA2IvCpBymdETpKz96fyI\/FjcV4OOyvkfhfyEdy5jIORz1i8EoITTMYZ++bEgYTuztmvYygA7dR4nKdPs\/wDw0zq\/aH2p3aQOLIQwz3nymfojI7R9AnHTPwgdx6HpPmI1WJQYXYkr1QJ6s93qGc3elCtP\/NjcX4Key\/kfiJ2zWsxhaGBeJ8o1WRRM5K9W+m7jArmsyWkPuY37mAexVQ5kXU0Ol\/C2LyFCUzUZEJPolcISMZ2\/RM6RPx5TkZHn6TnvSASnpryIVGEDnZWtFSC8xDZDqFgVsUvbDHCziMaQj9Nxfg\/CvJ+P1lewWpC+M\/6sCZkNcauJgI3w0ZNgAKljG0gDaLZnelnTaUaZvIcuELkDXrEtlHTJncf0T3k\/lzjyHnlrymdCnzSWEJ3AMzYkcVaIbDRK45dYBywMMGsuRy5a9HTpTo1ha148OjF+D8K8lm2cIcjAcwV+pXyCd2XLPUJYmwhjbBnuKA05Wo0dldu4Sx0blik+naLpoHxzmdIpJ61iOCVdZ4HTyeBVMZwOsIWKAKWPj6DwI1OnG2rOwsuJEcMIlkyzWETOFTgxYxYBbtHcsVZ++f8AFjw7F+D8K8zyPyCuqyFFt9OvAg2TduQkFnrFRwADHEUV5jbjLYDJbmFI8hZ1YLvFVu5HHJ2iPjmU6zSWYwsrW2WWBiD\/AOcmnOWY0r\/r6D8VQ3sSDZj08TLkwL+ipeK+PjCfGziF0rbMrfyi\/h\/puL8Hge2dYnJnTBEjKtW6C9YmNcmRAGx1Y4ZIQ+Ggc9HrT7Vi5kwvhzpZYCcnTQp751N8rOVzxV\/WfHjkU4sd7K49tceW9lgtFriIXfLRX0lnDo7qn2MdshEdzZ1D64xjC2q4wwt3IZ2n4p\/pneRHtsyhUh728KWWTws4KukVDqGu\/dGxWWHQfL08wKvuCRAldq02w2xcfI8OLS1BZJ8ojWW+zHDGOLc2PGT2jKi9Wp7Ruxc7n2D1jdnEJ1bz1KM38qJQK\/Ue0AyXaxr2V5ayN9p02bX65ILqcI\/UD35cOTKU5BwZ69QfZt6mdSJwrBzgsMyozo9GisNg6WrPunvNSdLUc4nbDmdosbUeZzxhFukYyqW3BONN2JL3sLVu7Lk\/d+jTNBjE7SlOgw2S0ie8BM5vFS5sEXKPHLgvv4XaSVZ27AGTJFFiyFUbGq3Z04CqqN4luHFjERq\/HDsxXmr\/ACFj1JSXVziFY6tzFTtbHMtcIZx\/bI8zGmFODGuTi+2AzbkPjIPaxs+6Hxlufd9Jea8iA6smBV3iBGN+6bVnrEU8gnJzTP8AHi1pcQr9cDHTKc6Wx75u7mP2gPtBGhktMo27Z3nlqPuBMRnDq0mdpm4xP71yuq+PEKK44Vg+IjWYXkhGPyz2xLNkkWRGvIO5QO6NkjkRnfNxRkmUYepQE9uU+I8TGuI7ZGDIjBM1yy37X0jn+P8AaG5Zfpa4XT3ZOT853LwyA57ZBhnnNCy3\/KR+WrlL89j4Zp\/y4v8AGvIwsPLXkfOD4LwHwH48ixnn+5+I+fIsHxi8H4fu15sfn\/Q5+585HngHyblr+Wv8c5\/acmI3bRzwx\/YYmdP\/xAAqEQACAgEE"} 02485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1882,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146710077,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146710077,"pkt":"nLbQ0+MztKXvZygQCABFAAXUgVlAADYGY7AOiIhswKgCfgBQwORvtNcRImpQ7oAQAHoCWgAAAQEICpoJIwAeulfZAgICAQUBAQAAAAAAAQIREAMSITEgQRMiBDJRIzBCYXFigf\/aAAgBAwEBPwHwT4w8bm3USMYxX27PjlLlkYJD1Ir2KafTHpqx2v26HH3EU7EPHsmL+zZdjdCUtT\/h\/wCYGlBdk9ZRG5T\/AGdDWmlwPa+iMpR7N6l0ONfqTpkZl4smLFZlwJ4RYo0N2fI62kNaCW0nq+oEYe2LTjRLbfBpxi0ShGOLeEqLojK8TEIcrzqO3Ylm6Q5WXh4it\/Bzp8mhX\/0nJRnwSL\/jx6LJiwvBZk8vKtPgk3XJPreicVGA2JWdFi5KxEmIXeGX5NCid8FFcDQp0uUKM5Kie6L+w\/5EuCUaFGzZQuTo2ut6JOxZZXik3yNC4VjUeyjckLklSIytWa7W2vYkmuySo9YuyL5H2afdeiqIrF5Xgl\/TY2N4TEvtRONS2lx0o17Kjsv2OLi7JKL5RJJxtF5SpFlXEu+xf2dSdQoVpk408I0dNzdnxJ6m01dNQR+5OcktjPjTIxsktuIw9smx\/wAkJR28k6vgXkot9ZVOZqcITTJaf8FGjqqCpm9p77F95W2JqH1kS1N8ro+0SLUGSlZGKXI3Q3YkuhRvhdmpGmIWJK8qbXWfx+Z0a8eLGqE+CUZVbO4kokG0+DfIUmjfLKkX6KwnTs1J7neL8oxbIxSVGjppcjjaJx2umM+W4bTTltZrxqmiiiisR021Z1i\/DabfGOjYoqIuRKsfkwtWIsuiWpujtEhtIaKKN\/1rzssrPRZKddn4rc3eWrRqR2yaFiKoRLUjdCeGhupULKyi8PvD1odHy30PcnyaGvt\/4KSasnrbejT1dySNWMlLk6xFNsrkdCdEluO0NclYRtLihixY2Wh8TGjsiq4NLX+N89EoqfJopxZrxuGLNL9icK5HhD46yxriy8PwfeNRdPwmaWq48Gm7ZPofYjS\/ZH5MtsaFTjQtMdLosReKoQ1fg8Ujbu4I\/iR9s\/J0VCKccT7I9o3VTJMl2McmhycuxG\/Ho3F4trsv+CzvwWdOfHJrx3QeJ94+T60zQ1r+jNT9i\/Kv5wmJknYv9DZ6OUX4ItpkJzlKia2yaJYYnTsb9mnpSkT09vh0PoeIsbTRvOH7JZXglFnEI2Tm27Y3Ymd8iVmlpQ9iiakOGihtCd8Ej14XheC8FI1NVylRZSNpVY0Hx\/zE198r9jVRNkY8DWGsIZWI5eGuSvBmh7QpfU1JrsfIhGq7Q+RSGhrCXhVi\/t6LakamrtG5SEuBCJdeHY8VwesLEJblfihFihJkdJezo1OZFliOmSXAvBlG2O2\/FKvFo\/0RnXSPkmW\/bHqpdF+8oqz0dYjKuzchsZtf7ZoXlFWa0Psj5GNtlCVj4wxcFikNZoaw39PBE+jaxyFO1WNPs1K8ExliOxPCbXI5buiKHed7khl0hdY9nAo2bafB8basTou8cnwzZKO10N4WGy0WaenvQ9GSKaHxhP61iSuNEVUaFbXJRSE+ax2Vj4qSbNLRdHxcck5W2xiy2Xj8OdTocV\/A9GLNT8Z+iUUl1ybvullFexssQo2KVMkLs+NY\/I1NumxK3QxZeIqzQ\/dFn5WrKKVGnxBH5CjdlXK8rovLEx9FkjT1px6I\/k8Wz8rWUo8Dd4jl5\/GX9RFmq0+JLgjq7VtRrS5P8h5cjdZbGUV7OyhH+JrO8IhC1ZsPj+o8RNOPs03T7Jz3G+sN\/dDxaaxGBTLsXAvsS44Gzo0tRPgm7wl6NpRN1F4oSIcxxLhFtyw\/2RJ0OTZFcclIRSJOiLuPJdZkuCH16GhcGirdlY1l9co0lwdGoyixolyQXsTxeGf6EiRBWa6pcEHyW3wM0VwRijUjRNWhixodGoy7wj\/Ej+7Xl\/\/EACoRAAICAQQBBAICAwEBAAAAAAABAhEDEBIhMSIEEzJBUWEgQhQzQwWB"} 01282{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1882,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146710077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":514,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":514,"flow_dst_tot_l4_payload_len":4320,"midstream":1,"thread_ts_usec":1654385146710077,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/f05074256b39572ad852c1c95eb5f8a7.jpg","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} -01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1985,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":159,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146263001,"flow_src_last_pkt_time":1654385147139518,"flow_dst_last_pkt_time":1654385147568107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":85228,"midstream":1,"thread_ts_usec":1654385147568107,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49370,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":80879.0,"flow_max":876517,"flow_stddev":179290.7,"c_to_s_min":2111,"c_to_s_avg":439314.0,"c_to_s_max":876517,"c_to_s_stddev":437203.0,"s_to_c_min":1,"s_to_c_avg":52204.2,"s_to_c_max":236517,"s_to_c_stddev":91240.0},"pktlen": {"c_to_s_min":580,"c_to_s_avg":586.0,"c_to_s_max":592,"c_to_s_stddev":6.0,"s_to_c_min":351,"s_to_c_avg":2906.9,"s_to_c_max":15906,"s_to_c_stddev":3087.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2000,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385147163604,"flow_dst_last_pkt_time":1654385147585918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":97896,"midstream":1,"thread_ts_usec":1654385147585918,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":354,"flow_avg":78996.0,"flow_max":886861,"flow_stddev":178261.6,"c_to_s_min":15853,"c_to_s_avg":451357.0,"c_to_s_max":886861,"c_to_s_stddev":435504.0,"s_to_c_min":354,"s_to_c_avg":50352.9,"s_to_c_max":237591,"s_to_c_stddev":90255.6},"pktlen": {"c_to_s_min":580,"c_to_s_avg":586.0,"c_to_s_max":592,"c_to_s_stddev":6.0,"s_to_c_min":351,"s_to_c_avg":3329.2,"s_to_c_max":18786,"s_to_c_stddev":3784.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2008,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385146253018,"flow_src_last_pkt_time":1654385147560064,"flow_dst_last_pkt_time":1654385147928387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1554,"flow_dst_tot_l4_payload_len":113644,"midstream":1,"thread_ts_usec":1654385147928387,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49372,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":154447.3,"flow_max":1033216,"flow_stddev":265914.9,"c_to_s_min":407339,"c_to_s_avg":780087.3,"c_to_s_max":1033216,"c_to_s_stddev":269149.5,"s_to_c_min":1,"s_to_c_avg":72842.1,"s_to_c_max":371504,"s_to_c_stddev":113005.0},"pktlen": {"c_to_s_min":580,"c_to_s_avg":584.0,"c_to_s_max":592,"c_to_s_stddev":5.7,"s_to_c_min":351,"s_to_c_avg":3984.8,"s_to_c_max":18786,"s_to_c_stddev":4268.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1985,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":159,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146263001,"flow_src_last_pkt_time":1654385147139518,"flow_dst_last_pkt_time":1654385147568107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":85228,"midstream":1,"thread_ts_usec":1654385147568107,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49370,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":83908.6,"flow_max":876517,"flow_stddev":182026.6,"c_to_s_min":876517,"c_to_s_avg":876517.0,"c_to_s_max":876517,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":52204.2,"s_to_c_max":236517,"s_to_c_stddev":91240.0},"pktlen": {"c_to_s_min":580,"c_to_s_avg":586.0,"c_to_s_max":592,"c_to_s_stddev":6.0,"s_to_c_min":351,"s_to_c_avg":2906.9,"s_to_c_max":15906,"s_to_c_stddev":3087.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2000,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385147163604,"flow_dst_last_pkt_time":1654385147585918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":97896,"midstream":1,"thread_ts_usec":1654385147585918,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":354,"flow_avg":81334.7,"flow_max":886861,"flow_stddev":181110.5,"c_to_s_min":886861,"c_to_s_avg":886861.0,"c_to_s_max":886861,"c_to_s_stddev":0.0,"s_to_c_min":354,"s_to_c_avg":50352.9,"s_to_c_max":237591,"s_to_c_stddev":90255.6},"pktlen": {"c_to_s_min":580,"c_to_s_avg":586.0,"c_to_s_max":592,"c_to_s_stddev":6.0,"s_to_c_min":351,"s_to_c_avg":3329.2,"s_to_c_max":18786,"s_to_c_stddev":3784.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2008,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385146253018,"flow_src_last_pkt_time":1654385147560064,"flow_dst_last_pkt_time":1654385147928387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1554,"flow_dst_tot_l4_payload_len":113644,"midstream":1,"thread_ts_usec":1654385147928387,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49372,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":119296.6,"flow_max":899707,"flow_stddev":203504.9,"c_to_s_min":407339,"c_to_s_avg":653523.0,"c_to_s_max":899707,"c_to_s_stddev":246184.0,"s_to_c_min":1,"s_to_c_avg":72842.1,"s_to_c_max":371504,"s_to_c_stddev":113005.0},"pktlen": {"c_to_s_min":580,"c_to_s_avg":584.0,"c_to_s_max":592,"c_to_s_stddev":5.7,"s_to_c_min":351,"s_to_c_avg":3984.8,"s_to_c_max":18786,"s_to_c_stddev":4268.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385156800184,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":423,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":423,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":423,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385156800184,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.217.18.98","src_port":44368,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01094{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_packet_id":1,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":489,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":489,"pkt_l4_len":455,"thread_ts_usec":1654385156800184,"pkt":"tKXvZygQnLbQ0+MzCABFAAHb3B5AAEAG2pzAqAJ+rNkSYq1QAFBdWbpPyM9cBIAYAfaELwAAAQEICmU8LGE7CqI\/R0VUIC90YWcvanMvZ3B0LmpzIEhUVFAvMS4xDQpIb3N0OiB3d3cuZ29vZ2xldGFnc2VydmljZXMuY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6ICovKg0KWC1SZXF1ZXN0ZWQtV2l0aDogY29tLnNjZW5ld2F5Lmthbmthbg0KUmVmZXJlcjogaHR0cDovL21hbmdhd2ViLjFreHVuLm1vYmkvDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNCg0K"} 01222{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385156800184,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":423,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":423,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":423,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385156800184,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.217.18.98","src_port":44368,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.GoogleServices","proto_id":"7.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","http": {"url":"www.googletagservices.com\/tag\/js\/gpt.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -889,7 +889,7 @@ 02024{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2060,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":168,"flow_packet_id":1,"flow_src_last_pkt_time":1654385157001678,"flow_dst_last_pkt_time":1654385157001678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1185,"pkt_l4_len":1151,"thread_ts_usec":1654385157001678,"pkt":"tKXvZygQnLbQ0+MzCABFAASTjHtAAEAGODHAqAJ+oXUNHcQAAFCrgt7ji0XD5YAYAfZ2PgAAAQEICrrGVbOXEVcWR0VUIC9pbWFnZXMvbGlzdF9kZWZhdWx0LnBuZyBIVFRQLzEuMQ0KSG9zdDogbWFuZ2F3ZWIuMWt4dW4ubW9iaQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDExOyBzZGtfZ3Bob25lX3g4NiBCdWlsZC9SU1IxLjIwMTAxMy4wMDE7IHd2KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzQuMCBDaHJvbWUvODMuMC40MTAzLjEwNiBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlL2FwbmcsaW1hZ2UvKiwqLyo7cT0wLjgNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NClJlZmVyZXI6IGh0dHA6Ly9tYW5nYXdlYi4xa3h1bi5tb2JpL2Nzcy9hcHAuY3NzPzE0OTA1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNCkNvb2tpZTogX19xY193SWQ9NDcyOyBwZ3ZfcHZpZD0xNTc5MTk5MjgwOyBhY2Nlc3NfdG9rZW49bnVsbDsgX19nYWRzPUlEPWZjMGYyMmY3OGQ4MmZiNDQtMjJjNDllMTdhOGNkMDBjMTpUPTE2NTQzODUxNDM6UlQ9MTY1NDM4NTE0MzpTPUFMTklfTVlxQy1PUjQwVGFRTFBJdTd2aGtaLS1VMXRtLVE7IF9nYT1HQTEuMi42OTQ1MjQ1MjguMTY1NDM4NTE0MjsgX2dpZD1HQTEuMi4yMDQ5ODYxNjI3LjE2NTQzODUxNDM7IF9nYXQ9MTsgX2dhdF9ndGFnX1VBXzE1NDc1NzkyOV81Nz0xOyBfdHRfZW5hYmxlX2Nvb2tpZT0xOyBfdHRwPWU4NDYzOWI3LTk0MDAtNDA2Yy05N2UxLTAzZjhkYTQ4MTVmODsgaXNfc2F2ZV9jb29raWU9dXNJTXZIa3hQNEpEWGhjOyBfY3JlYXRlX2RhdGU9MjAyMi82LzQ7IG5vbl9uYXRpdmVfZG9tYWluPWh0dHBzOi8vYWtlbWFuZ2Eub3ItZnJuZC5jb207IF92ZXJzaW9uPXYyMDIwMDUwNTsgX2dlbmVyYWxfc3Vic2NyaWJlPTI7IGNsb3Vkb3dsc191dWlkPTM1YmYzNmRmLTBiYWUtZTA5Mi1mMmIxLWI3MzlmNTZjM2VjZDsgY2xvdWRvd2xzX2lzX3N1YnNjcmliZT0xOyBzdWJzY3JpYmVfZ2VuZXJhbF90b2tlbj0zNWJmMzZkZi0wYmFlLWUwOTItZjJiMS1iNzM5ZjU2YzNlY2Q7IGxhc3RfdXJsPW51bGwNCg0K"} 01213{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2060,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":168,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385157001678,"flow_src_last_pkt_time":1654385157001678,"flow_dst_last_pkt_time":1654385157001678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1119,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1119,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1119,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385157001678,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":50176,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"mangaweb.1kxun.mobi","http": {"url":"mangaweb.1kxun.mobi\/images\/list_default.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} 01550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2061,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":164,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156962711,"flow_dst_last_pkt_time":1654385157145999,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":748,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":748,"pkt_l4_len":714,"thread_ts_usec":1654385157145999,"pkt":"nLbQ0+MztKXvZygQCABFAALe44NAADQG7t2hdQ0dwKgCfgBQw9yTFLQsi9xmdIAYAPSXNAAAAQEICpcRV7G6xlWMSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMzY2DQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTE2ZSINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAFFQTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/CDfnXgAAABp0Uk5TAOEQHt3X0s4WI+fFBvPkMNPJq0tAC7VRUC7\/IHCDAAAAsklEQVRYw+3W6wqDMAwF4Fi13nX3y3n\/Bx1dmT\/mYBZSsHK+BziEkiYRIiIiIiLaC3M6Sxx9B1wkBlMBGO6iz3Rwil60XSs441O01T65aESbOcJpIySXvuZctOUHOKV+cm3hZBGSCziVEW2Nf2cboeYSb63N\/rASZhqxmoS5YbVhO1WHvPWGOuS7r1P5jYsZksjkW87rNLbMvBvbSbw0NvrnDnnILInryd98REREREQ\/vAAzzxwTVWsbZwAAAABJRU5ErkJggg=="} -01369{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1654385140835391,"flow_src_last_pkt_time":1654385156967826,"flow_dst_last_pkt_time":1654385157149701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":434,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":14400,"flow_src_tot_l4_payload_len":6674,"flow_dst_tot_l4_payload_len":81693,"midstream":1,"thread_ts_usec":1654385157149701,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45416,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":1083615.9,"flow_max":6045020,"flow_stddev":2003939.2,"c_to_s_min":61731,"c_to_s_avg":2024270.8,"c_to_s_max":6045020,"c_to_s_stddev":2417795.2,"s_to_c_min":1,"s_to_c_avg":741559.6,"s_to_c_max":5959115,"s_to_c_stddev":1706333.0},"pktlen": {"c_to_s_min":500,"c_to_s_avg":900.2,"c_to_s_max":1180,"c_to_s_stddev":214.9,"s_to_c_min":709,"s_to_c_avg":3469.9,"s_to_c_max":14466,"s_to_c_stddev":3207.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1654385140835391,"flow_src_last_pkt_time":1654385156967826,"flow_dst_last_pkt_time":1654385157149701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":434,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":14400,"flow_src_tot_l4_payload_len":6674,"flow_dst_tot_l4_payload_len":81693,"midstream":1,"thread_ts_usec":1654385157149701,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45416,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":1118853.2,"flow_max":6045020,"flow_stddev":2029038.4,"c_to_s_min":186128,"c_to_s_avg":2304633.5,"c_to_s_max":6045020,"c_to_s_stddev":2460083.8,"s_to_c_min":1,"s_to_c_avg":741559.6,"s_to_c_max":5959115,"s_to_c_stddev":1706333.0},"pktlen": {"c_to_s_min":500,"c_to_s_avg":900.2,"c_to_s_max":1180,"c_to_s_stddev":214.9,"s_to_c_min":709,"s_to_c_avg":3469.9,"s_to_c_max":14466,"s_to_c_stddev":3207.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 01703{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2063,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":165,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156971856,"flow_dst_last_pkt_time":1654385157153682,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":832,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":832,"pkt_l4_len":798,"thread_ts_usec":1654385157153682,"pkt":"nLbQ0+MztKXvZygQCABFAAMy+MlAADQG2UOhdQ0dwKgCfgBQw+Q76a9lejKjSIAYAPQgmwAAAQEICpcRV7e6xlWVSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogNDUwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTFjMiINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAG9QTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/L9MC0QAAACR0Uk5TAJSpvW0XB\/bWdRD8t6aZi3E3AvPs3s20r6B8d2dTI0U7LisEPmah4wAAAN5JREFUWMPt1MkOglAMheGi3AsOgDhP4NT3f0YhYiQGMcg9iYvzr7rpt2lSYYwxxhhj7C172I4F0nykCrFLuSiei\/sOWhYa9\/JIKxol69S5PNMqDyYHR8eyr89WKUrWtQXIiCv6kxqduJSPdXl5diinC60VDAevon2\/h5JoS+u8szd85BdjrG3tOtO1Ra+VDn6lva+0ksbT+DNucHQGo0MDo\/0bil7kgqITi6InqaDo6RhGZ4KiVwZGzwRFL68w2rN96f0n+iR9aRM2y5HtRUflfNk0ybERxhhjjLG\/7A7dOIR9fLd0dQAAAABJRU5ErkJggg=="} 01228{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2064,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":166,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156978849,"flow_dst_last_pkt_time":1654385157162185,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":574,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":574,"pkt_l4_len":540,"thread_ts_usec":1654385157162185,"pkt":"nLbQ0+MztKXvZygQCABFAAIwUYBAADQGgY+hdQ0dwKgCfgBQw\/TiBgbELqLpRYAYAPSjggAAAQEICpcRV8K6xlWcSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMTkzDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLWMxIg0KRXhwaXJlczogRnJpLCAwMiBTZXAgMjAyMiAyMzoyNTo1NyBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9Nzc3NjAwMA0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0KiVBORw0KGgoAAAANSUhEUgAAAFoAAABaBAMAAADKhlwxAAAAD1BMVEUAAAD\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/+PQt5oAAAABHRSTlMA8a0mzjE4JAAAAF1JREFUWMPt0LsNgDAMRVEgC\/DJACAYANgg6O0\/E0qKpLIipYt0T2PryYXtAQAA9OpdzlTdsd45sDivkKYeaSuBYZK0x+aSvhIYRklzbLwUctA+Xd+k\/cr6BwEAwA+l3hHvzEdfEgAAAABJRU5ErkJggg=="} 01547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2065,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":167,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156997634,"flow_dst_last_pkt_time":1654385157178524,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":746,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":746,"pkt_l4_len":712,"thread_ts_usec":1654385157178524,"pkt":"nLbQ0+MztKXvZygQCABFAALcrA1AADQGJlahdQ0dwKgCfgBQw\/a\/BfvNoaiIL4AYAPQ5GAAAAQEICpcRV9K6xlWuSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMzY0DQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTE2YyINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAFFQTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/CDfnXgAAABp0Uk5TAOEQHt3X0s4WI+fFBvPkMNPJq0tAC7VRUC7\/IHCDAAAAsElEQVRYw+3WWQ7DIAwEUCckUMjWfZn7H7RC\/DTqR4OE1SDNO8DIssC2EBERERHRv13Orei4AsMoGh4TAKdR99ghGjSyXzMid5PyfJeyD1KeD4hOGj0xqe5eJbtHdDRSnmkQWY1+tw5Rp5FtbOq3l1y2+cEGpOzsurHZvEieCZvd91N1Vq9380Jy3nUtv\/FzhtQy+dbzuo4ts4TVbqxkoz+\/75AKrqd08xERERERKXoDf5McEz6WWVMAAAAASUVORK5CYII="} @@ -904,14 +904,14 @@ 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385176795709,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":207,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385176795709,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38316,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":1,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":273,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":273,"pkt_l4_len":239,"thread_ts_usec":1654385176795709,"pkt":"tKXvZygQnLbQ0+MzCABFAAEDkpJAAEAGvoDAqAJ+rGl5UpWsAFD4\/KHAFVJVKoAYAfbp1wAAAQEICvK1uWDJom0fR0VUIC92aWRlb19rYW5rYW4vaW1hZ2VzL3ZpZGVvcy80MDcwMS04ZmE3ZDkxNmM1NWUzMWY5MGZhNTVmNDUwYjcxNjUwNS5qcGcgSFRUUC8xLjENCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpIb3N0OiBwaWMuMWt4dW4uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANClVzZXItQWdlbnQ6IG9raHR0cC8zLjEwLjANCg0K"} 01062{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385176795709,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":207,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385176795709,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38316,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"pic.1kxun.com","http": {"url":"pic.1kxun.com\/video_kankan\/images\/videos\/40701-8fa7d916c55e31f90fa55f450b716505.jpg","code":0,"content_type":"","user_agent":"okhttp\/3.10.0"}}} -01372{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":141,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":28,"flow_first_seen":1654385136206220,"flow_src_last_pkt_time":1654385176599830,"flow_dst_last_pkt_time":1654385177114485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":23040,"flow_src_tot_l4_payload_len":838,"flow_dst_tot_l4_payload_len":163493,"midstream":1,"thread_ts_usec":1654385177114485,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":2904040.0,"flow_max":39119714,"flow_stddev":9985043.0,"c_to_s_min":11241,"c_to_s_avg":10101213.0,"c_to_s_max":39119714,"c_to_s_stddev":16756675.0,"s_to_c_min":1,"s_to_c_avg":1704511.0,"s_to_c_max":38675191,"s_to_c_stddev":7710263.5},"pktlen": {"c_to_s_min":273,"c_to_s_avg":275.5,"c_to_s_max":278,"c_to_s_stddev":2.5,"s_to_c_min":386,"s_to_c_avg":5905.0,"s_to_c_max":23106,"s_to_c_stddev":6635.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01374{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":141,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":28,"flow_first_seen":1654385136206220,"flow_src_last_pkt_time":1654385176599830,"flow_dst_last_pkt_time":1654385177114485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":23040,"flow_src_tot_l4_payload_len":838,"flow_dst_tot_l4_payload_len":163493,"midstream":1,"thread_ts_usec":1654385177114485,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":3011180.5,"flow_max":39119714,"flow_stddev":10152453.0,"c_to_s_min":392939,"c_to_s_avg":13464536.0,"c_to_s_max":39119714,"c_to_s_stddev":18142044.0,"s_to_c_min":1,"s_to_c_avg":1704511.0,"s_to_c_max":38675191,"s_to_c_stddev":7710263.5},"pktlen": {"c_to_s_min":273,"c_to_s_avg":275.5,"c_to_s_max":278,"c_to_s_stddev":2.5,"s_to_c_min":386,"s_to_c_avg":5905.0,"s_to_c_max":23106,"s_to_c_stddev":6635.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00958{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2093,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":169,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176794071,"flow_dst_last_pkt_time":1654385177118137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":387,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":387,"pkt_l4_len":353,"thread_ts_usec":1654385177118137,"pkt":"nLbQ0+MztKXvZygQCABFAAF1WjBAADYGAHGsaXlSwKgCfgBQlbaIVDfjwISJoIAYAOs4SwAAAQEICsmibd\/ytbleSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDg3MzAzDQpMYXN0LU1vZGlmaWVkOiBTdW4sIDI5IE1heSAyMDIyIDAzOjI3OjU1IEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KRVRhZzogIjYyOTJlODNiLTE1NTA3Ig0KRXhwaXJlczogRnJpLCAwMiBTZXAgMjAyMiAyMzoyNjoxNiBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9Nzc3NjAwMA0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0K"} 02534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2094,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":169,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176794071,"flow_dst_last_pkt_time":1654385177118137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177118137,"pkt":"nLbQ0+MztKXvZygQCABFAAXUWjFAADYG\/BCsaXlSwKgCfgBQlbaIVDkkwISJoIAQAOsFsgAAAQEICsmibd\/ytble\/9j\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APgjVdV+IGpeNdTTTtd1OT\/iYShQt3If4z715latCnfmZ4ajObaSOi0zwV+0DrcSLpOm67cMW4EbSsen1ryK+aYKk\/enY7KeExc0rRubK\/Ab9smSMS2nw88XzK33THaTNn8jXGs\/ytys6y+86P7OzBL4GMPwE\/bXkJVfhP44LDsbGcVX9u5Zf+NH7w\/s\/MP+fbIJvgF+24fkf4R+NPqbWerWd5V\/z+X3g8uzD\/n2xY\/2Z\/24rhd0fwk8X\/iJB\/M0\/wC38q\/5+on+zcw\/kf3kkX7K\/wC3VOdsfwk8Xk9vmcfzapef5Sl\/GX4gssx\/8j+9Fgfsj\/t9Bdw+DnjFuP4Nzfyas3n2Uv8A5er8S1luYL7D\/D\/MY\/7Kv7e8QP8AxZTx6cf3LKdv5U\/7cyt\/8vl94\/7OzDrTZm3v7PH7cFqStz8GfiCCOv8AxK7v+grSOcZY9qy+8h4HHL\/l2\/uMq8+C\/wC2LaqWuvhV49QDqW0y7\/wrVZrlvSsvvM3gsb1hL7iinw2\/aqlk8qP4feOGbOCF066OP0qv7UwCX8aP3oSwmLf\/AC7l9zNTT\/gP+2Hf\/wCp+H3i9Af+e6yR\/wDoRFc887yuG9ZfI1jgMa1pTZrWv7Nf7Ygw8nhfX4x3Mt2ygfiWrlnn+WW0maLLsd1gXrb4P\/tRaU+24stVJHUJflz\/AOOk1xTznLpbTf3MpZfjVo4\/idL4f+HH7SdyQh0LWyfe7Kj\/AMeIry6+cZf0q\/mb08vxr3j+KOx0n4QfH3CreaPrKE9N2oqB+r1xf2vQl8E2\/lL\/ACOlYKUfjVvmv8zft\/gv8cXj\/d22ok44X+2IM\/8Ao2iOOnLbm\/8AAZf5DdKnHeUV\/wBvR\/zKOq\/Aj9qa4UjR\/C\/iCcnp5N3E3\/tWuunjacfjbXyl\/kYTo8\/wST\/7ej\/mcN4r\/Z4\/bdTcYfhb44kHP\/HvbNJ\/6Cxr06GZ5fH4qn33OWeDxTeiv81\/med+IPhH+2JprN9t+FfxCjx1zpNx\/SvUpZplb\/5fx\/8AAjllgsd\/I\/uOR1fSf2hdLYrq3h\/x"} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2099,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176794172,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":388,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":388,"pkt_l4_len":354,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAF2wDBAADYGmm+saXlSwKgCfgBQlar6OK3h5ubbqoAYAOuKlwAAAQEICsmibeLytbleSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDEwMzg1NA0KTGFzdC1Nb2RpZmllZDogU2F0LCAwNCBKdW4gMjAyMiAwMzo1OTo1MiBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkVUYWc6ICI2MjlhZDhiOC0xOTVhZSINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjY6MTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNCg=="} 02495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2100,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176794172,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAXUwDFAADYGlhCsaXlSwKgCfgBQlar6OK8j5ubbqoAQAOs8UgAAAQEICsmibeLytble\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APxm8Z+KPFA8aauF8RX5zqlxgfa34HmMPWva0SR823uUD4p8UeWNviO+GOn+mPz+tLqTd3BfFXipSR\/wkl\/06fa3\/wAabsK7uTR+K\/FH3P8AhI73noftb\/41DsldibZctvF3iaPKSeIb\/pwftb\/41zVUnaxzO7LcXirxJIgP\/CSX3TnN2\/H61jsYzukWIvFfiZo+PEN8M4GBdP8A41EtGZ3d9x8vizxTH848SX3A6G7fA\/Wkkrm8dI6CL4u8Sn5h4jvlzgEfanyf1pNPYtPTRmlZeK\/ErbR\/wkl\/nop+1P1HXvXLO97vQjmfNY6Xw\/4p8TPEWOu3j4bORdPn68mvPrNc9jKpJy0O68NeKPEWVjbxDeYQggi4bJPX1rzar3aMndPc7jSfGniSCBJjrV0V6BTOcrng\/XNedUTlawc0rXuXLXxnrZxI2vXPyqRlZW2j8M1nOMkXGavqdV4N8Z6+t5GravdOAAxzOcZPTvxXHXU+VibZ634Q8ZavqN8LY6jcCIJl5ROc9O\/0rxsQpKO4Jytub8PxJu7nWrdI9SuOCY2UznBHY+3SuKanGDuxqUl1Pdfhb4r12LS4rl9SeQXUiR4LdBnkGvn8ZKTd0\/xYnJoufGzxJrcdpLNbajKI44huEa\/Nwfu5\/KuGlzd2\/mEHd6s8ni8fa1bJ9pm1abMnDDfg7v6cVpNVHLe3zZ0atrUhPxD1GS3aa31W4eXac7nwWHehc\/Nq3+Jeq0uaXhH4i67Ff2oTVJZGJ3bSxyPcn29PaionOD95\/eVd9z6h8E\/Fe\/n8GRG3uTvdcbUQbgSOSSeg614FeNVS3f3stylyo5nXviX4pgmaZtUUCMHG3A2+xHauCvKd7OT+9kx5m\/I6Pwj8X4odCtr3xTdxutwTsdSDg\/3fbiuVxqybs397HCN3ZnoPg3x7jT0utNuo\/LaTa+1QBjt1715OL9onrJ\/ezohLl2PqH4J+JTrXhiNjKrlMKxVQOa5cBXqwxNuZ\/efX5LUU6Lj2Nb4k67Ho+hPdTSIc"} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2103,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":388,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":388,"pkt_l4_len":354,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAF2OPRAADcGIKysaXlSwKgCfgBQlawVUlUq+Pyij4AYAOskNgAAAQEICsmibePytblgSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDExNjQ1NA0KTGFzdC1Nb2RpZmllZDogVHVlLCAyNCBNYXkgMjAyMiAwMzoyODozNyBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkVUYWc6ICI2MjhjNTBlNS0xYzZlNiINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjY6MTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNCg=="} 02498{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2104,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385177120454,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177120454,"pkt":"nLbQ0+MztKXvZygQCABFAAXUOPVAADcGHE2saXlSwKgCfgBQlawVUlZs+Pyij4AQAOvAhQAAAQEICsmibePytblg\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/AM3xD4j8QR63dH+1L3ck7AhpTgjPBPp9a\/VPccFof5r162IeInzSlfmfV935klt4p8UWcKZ1e5k3sD5byHgdiM9Ki0XpY3p4nF04JqUtfN\/5kWoeK\/FN8+06lKMqeFmI9\/XkU1GNtjSWKxMre9L73\/mVZ\/FfiJIVhGrTjBypM5IH5UcsexMq2Itbmd\/8T\/zHjxZrAsGh\/tq4Eh6l5zkH+tCjFO9ivb1fZNObv3u\/8xfDesa7dXksk+szZhQBczHkk9+4470q0o2VkVgJ16lV3nLTzf8AmdDFe+IrjJfVroKgIGJSFJ9Ov6elcz5bbHt0nXvrKX3v\/MxvH2reIn8O3E66xdI1tiSOQzkHk8qPY56VVGSjOyW5GL9q8O5OUtPN\/wCZ523jPxLMm0+ILsqByDM3ynOeK6ZKDd0jx1VxCfxy+9\/5lC48T+JplCrr13ye07c+3Xilyx7HRDE1oy1nL72UbvXPEka7pPEV4WzgkXDf40nCL6HbDG4iX2397\/zMy\/8AFHii1yo8S3hJ4P8ApLcdfek4xS2O+jiK1RfE\/vf+Zz2oeLfFKsVHiC8JP3Nty3Hr0NZ8sb7HqUq1a1uZ\/ezNuPF3ifcT\/wAJBfjjki6b\/GjljfY7KdWra3O\/vZTbxZ4tdhu8R3oPQK10x4\/OhxS6HWqtRbSf3sp3HizxZsGfEN7gc83b\/wCNRKMexvGtUT+J\/eyrc+LfFrMWXxHfZwMf6U3T86nlj2OilWqcvxP72VX8V+LSPKl8RXxXA4+0vyc9eDRyx7HTGtUvpJ\/eyC68YeKVk\/d+JdQjAXDbLx8n8CaOWL6GsKtXl1k382UZPF3jEyYPjLUeucNdMQP1qOWK3R1Rrzt1+9kT+KfF8YP\/ABU92TnJH2t846etLkS6Gyrzl9p\/eyGTxV4uljUQa\/enqWzev19Ov+eKlxT6IpVpqWsn97M6bxP4uZR\/xUWolif+f5+ffrWbp0+qOyFeo38T+8py+KPFyqsv\/CUamoYEjdeP\/Q0nSp9jup4yq7q\/"} -01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385176794172,"flow_src_last_pkt_time":1654385178155648,"flow_dst_last_pkt_time":1654385178652815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":414,"flow_dst_tot_l4_payload_len":190898,"midstream":1,"thread_ts_usec":1654385178652815,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38314,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":124500.7,"flow_max":1361476,"flow_stddev":280114.3,"c_to_s_min":16899,"c_to_s_avg":689187.5,"c_to_s_max":1361476,"c_to_s_stddev":672288.5,"s_to_c_min":1,"s_to_c_avg":77443.5,"s_to_c_max":401346,"s_to_c_stddev":136203.4},"pktlen": {"c_to_s_min":273,"c_to_s_avg":273.0,"c_to_s_max":273,"c_to_s_stddev":0.0,"s_to_c_min":388,"s_to_c_avg":6429.3,"s_to_c_max":15906,"s_to_c_stddev":5274.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385176794172,"flow_src_last_pkt_time":1654385178155648,"flow_dst_last_pkt_time":1654385178652815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":414,"flow_dst_tot_l4_payload_len":190898,"midstream":1,"thread_ts_usec":1654385178652815,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38314,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":128804.8,"flow_max":1361476,"flow_stddev":284817.3,"c_to_s_min":1361476,"c_to_s_avg":1361476.0,"c_to_s_max":1361476,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":77443.5,"s_to_c_max":401346,"s_to_c_stddev":136203.4},"pktlen": {"c_to_s_min":273,"c_to_s_avg":273.0,"c_to_s_max":273,"c_to_s_stddev":0.0,"s_to_c_min":388,"s_to_c_avg":6429.3,"s_to_c_max":15906,"s_to_c_stddev":5274.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385181857708,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":409,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":409,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":409,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385181857708,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.117.221.10","src_port":59324,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01077{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_packet_id":1,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":475,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":475,"pkt_l4_len":441,"thread_ts_usec":1654385181857708,"pkt":"tKXvZygQnLbQ0+MzCABFAAHNXapAAEAG0trAqAJ+aHXdCue8AFBxmTfMTd+OWYAYAfYKZgAAAQEIColJBIxVzQaLR0VUIC9zZGsvdnBhZG4tc2RrLWNvcmUtdjEuanMgSFRUUC8xLjENCkhvc3Q6IG0udnBvbi5jb20NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChMaW51eDsgQW5kcm9pZCAxMTsgc2RrX2dwaG9uZV94ODYgQnVpbGQvUlNSMS4yMDEwMTMuMDAxOyB3dikgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgVmVyc2lvbi80LjAgQ2hyb21lLzgzLjAuNDEwMy4xMDYgTW9iaWxlIFNhZmFyaS81MzcuMzYoTW9iaWxlOyB2cGFkbi1zZGstYS12NC42LjQpDQpBY2NlcHQ6ICovKg0KWC1SZXF1ZXN0ZWQtV2l0aDogY29tLnNjZW5ld2F5Lmthbmthbg0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC45DQoNCg=="} 01212{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385181857708,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":409,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":409,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":409,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385181857708,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.117.221.10","src_port":59324,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"m.vpon.com","http": {"url":"m.vpon.com\/sdk\/vpadn-sdk-core-v1.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36(Mobile; vpadn-sdk-a-v4.6.4)","detected_os":"Android 11"}}} @@ -979,11 +979,11 @@ 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385184982489,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":1,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":328,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":328,"pkt_l4_len":294,"thread_ts_usec":1654385184982489,"pkt":"tKXvZygQnLbQ0+MzCABFAAE6JG9AAEAG2MrAqAJ+EkBnHo80AFAYADoNP4BZp4AYAfY9sQAAAQEICpxRp3YAJw3ER0VUIC9ydi9lbmR2NC5odG1sP21vZj0xJmVjX2lkPTQmbW9mX3VpZD05MTE5OSZuX2ltcD0xJnVuaXRfaWQ9ODg4MSZzZGtfdmVyc2lvbj1tYWxfOC43LjQgSFRUUC8xLjENClVzZXItQWdlbnQ6IERhbHZpay8yLjEuMCAoTGludXg7IFU7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMSkNCkhvc3Q6IGh5YmlyZC5yYXlqdW1wLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwDQoNCg=="} 01151{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385184982489,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"hybird.rayjump.com","http": {"url":"hybird.rayjump.com\/rv\/endv4.html?mof=1&ec_id=4&mof_uid=91199&n_imp=1&unit_id=8881&sdk_version=mal_8.7.4","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001)"}}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2368,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":182,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184927393,"flow_src_last_pkt_time":1654385184927393,"flow_dst_last_pkt_time":1654385184996498,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":183,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":7140,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":129251,"midstream":1,"thread_ts_usec":1654385184996498,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.66.2.90","src_port":35664,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":29372.1,"flow_max":753315,"flow_stddev":139360.3,"c_to_s_min":753315,"c_to_s_avg":753315.0,"c_to_s_max":753315,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":2559.4,"s_to_c_max":14880,"s_to_c_stddev":3288.5},"pktlen": {"c_to_s_min":249,"c_to_s_avg":249.0,"c_to_s_max":249,"c_to_s_stddev":0.0,"s_to_c_min":797,"s_to_c_avg":4235.4,"s_to_c_max":7206,"s_to_c_stddev":1662.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01330{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2368,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":182,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184927393,"flow_src_last_pkt_time":1654385184927393,"flow_dst_last_pkt_time":1654385184996498,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":183,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":7140,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":129251,"midstream":1,"thread_ts_usec":1654385184996498,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.66.2.90","src_port":35664,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":2559.4,"flow_max":14880,"flow_stddev":3288.5,"c_to_s_min":0,"c_to_s_avg":0.0,"c_to_s_max":0,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":2559.4,"s_to_c_max":14880,"s_to_c_stddev":3288.5},"pktlen": {"c_to_s_min":249,"c_to_s_avg":249.0,"c_to_s_max":249,"c_to_s_stddev":0.0,"s_to_c_min":797,"s_to_c_avg":4235.4,"s_to_c_max":7206,"s_to_c_stddev":1662.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 02473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2407,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1494,"pkt_l4_len":1460,"thread_ts_usec":1654385185015621,"pkt":"nLbQ0+MztKXvZygQCABFAAXIXwoAAPgGIaESQGcewKgCfgBQjzQ\/gHc7GAA7E4AYAINkpwAAAQEICgAnDeicUad2RWsIZamOljqm7gSNKAkXQCu+hVDQvHNR9FYzcLa6bcMwfHz8+6Ohpq2yX4VCM8MnePOCbl7QzQu6eUE3L+jmBd28oJsXdPPvCN38HeCm8Yfm\/kvPR3Dz+vd\/+5\/+qz\/+F\/\/73\/yP\/8vf\/ov\/+v\/+3\/7l3\/xn\/\/nP6n\/VjBMyedbYcXZ\/o\/OF7mdeh9Hhr\/RfIfMv43vvKuRdCur\/FFM9E59fEn2SOA2NKnl1bdNivqb2mOXNXHq1\/YMX1\/Ovvr+Ls8avbLeJu\/n+XUe8voOwYRiE416SRHkHbuH3JI7AK5hcYzixRhEYhd8jOEmi6zWCkdiKXBEYCfi+gog\/Et\/23iV5mL96vr5z8qbJ03dVHEbNXOMfCP\/4uyrDZ\/hnarl7h38mQu9N1tzbJ+HHYOnfwgd4YKemZxmEk6Yfkz3lh\/aJu5CbeloHFbHt+TJXIpxmxZgsZHiRMOZFvKzyDdgT70P7AneujlPtVyx1Ci8u7Wd7MtsuMwhfTyvOMfV9uKfpBVoFiWcijlTzRwo97G1lTY77npOvQt2eMaaQrdoht73lsx1+nZwlg+BlIhnXXbgLsHWy5C\/CTrdrpvOys4hB5bmgib5vMJLqdEuhL1RVueIWhr1W24corWULSQqDfGNsr1HdHI4FJV+WwuEwhjFLFwqL5Xy27akNzx1XpbTfbywRws5chR\/VzSRUHZ82JFfLUbM21UlmqXQlB5CS01wcLs0xrplUXKuatlxW\/JnKqnFYcvIJ+HnXlDQp0jzZWW7b+IreDkRwtvod2OSadqez+8PJQr11ODo3W9Sq9lB21UYv1nbZnPkKxY3GO2VJgKi3y86OY2lDWQkA3y1giPPL0I8WU8XJRBa7HXzc3Kr4uITR5JDT0WTaYXbC9v5VWfTptvCOnVLv18ciGZlm2dHCfrfBJ8PAq77hGFHEh2RHh+SoYiYL45XZJMJ1SZZMbDASfdSvphUfow01aDWyqsWVpJirq1bhq16jM844FVx6sRj6QlADNWTuRMUGtyRUymqEmNkJt0Yb1N1graqbbda1j4vrOEyE7tb2An3aY8uYGHAX8\/rsNN6gbsLJaXGuswDrrwixB2A37Y+RJEMuQhm9tVPq3bKPTkuFNlJk4shWDhxGJ4gRxe1aHQH+OdOeb5ZAybp4QOtbdJVZhbI7fRHTpmi3Db68nJpjZBHlst+pE6dd\/auVOTRGjFYfMxlXYZeV5CtjfADQStuORhXR14nj+JExkEESLQhVIgsxAsrbUusYDOsmiIS0OxhmECNGsnePTqNm9Ybk0jiCIUUMk0Q6bo9XikfzcXHRxBU2KhFA7wFnV9mu0s+4T+Cmvs31pVGdu01zTdMqOQbatST8XeSiGb9xLLVobbjVxgASHcVY6Z0cEk1Zw70WhNMSziSBuvEt6nPBEkkYPUs89VCHjedyHoevTwhpwRtTvVC9cjscTpkEl70Q5ZcEM0iBVlOrZshoxaxTCyVqkcFaQaTJND7qiruC9vSgHxhROJty2frJRGcUkW\/T8bzArQu62Aj8pZfq5WnpurUmhYNXBBstPB0HdLEt67HP9CUNcHaVL\/py5Tv+IiqnHSGMtLAtT2aEyysT7VlU2B1c0UynpCL4dONoCBQZiWBCCob59IQIU9r6hD5FW92974pfH398cuCh13wO5v+Bzpq+x4zOk7NmVkyoZTPht8XqNPclVgd+dr30ls5urO+xrXKEf+KEQVxrl2X5Oea+B7dP8f2vfeAhlpy7jKenuJahub4U2SPWInq+hVn3Kp7Xjnw5Mt72ttIa3qJmWSX5OaelWMO1q4cTtae5TXSrzL1EZlCA5nHYN3tCgikSvSDqTjQq48xf4eq4x89aD51T5RZZJ\/zYX3eIruVriHTZcy9vlhIyXU6UT8Gkvj5OMbHU"} 04501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2408,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":3,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2922,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2922,"pkt_l4_len":2888,"thread_ts_usec":1654385185015621,"pkt":"nLbQ0+MztKXvZygQCABFAAtcXwsAAPgGHAwSQGcewKgCfgBQjzQ\/gHzPGAA7E4AYAINH0wAAAQEICgAnDeicUad24XFtV7Rg10duU4UTlxkMf+4hbiOeKWSTGwnHrK\/bcVHDmrmHVT1QbFoe9jUro5dI5TdYvpHS0y1rjoh+0U3zcCtX9rblxRoi5FhuCbqzSJTCJ\/SCO4zZZSPYNE6w5HSVgAaV0y2oWClZOTWZhlvMk\/XLRpM2IbCWurCzT+9+nnf\/OWUMYJ35yVcMM8b6\/R\/\/1f\/5x\/\/+v\/rM8TWeCOPgXR\/Wn9HNbJqvANEK619BcRX6k+IzZvpCAIbt5MNPYdScnyfOCY1\/TyD1rf7duf9o+anpe+Lk86r6HoqW4GHx6Znn1+7nR8VPBz8nS9L5cAeE+tP9z7LkZg6+ssfPLHPhW3ltM+PZT5K8\/\/msfZakyRs7mbt7Xv7\/5l\/\/85\/obM72VPyqzrNvqjRrU2d+wff86N\/86\/\/y1dOAvpLFbex7cuAdHr+ancs7IF7TArMobu\/azMv7LMnv2ZI\/Gupcy2kBmgQdfr79Efcrp\/mm7gDzHc7PmZXzYaydhcl9sn\/Bdl7f8evdzu42\/KM6\/2CPyGFz2XrOAlzQ68abCb\/NI1L4Z494f\/7\/wYeXvY12b\/v45AFpVjEKiukvMgW7N34KJ1mHT5uII8wicQAf7cIJq5oahpZLfYWtbiLN8Nh5vTFcczsoLYRSQOpr5+wJefBB0Bcjqs8OVij5zI4Q8US3kT6+pov1ZlWX1ZbBLAo\/CWVvJs7o7OLKwNZicOUC1akI83ha4yIZMssUw8P1miwuy6UgRf4eU5Z4nB6XmLKp3MOmhnDsUnscvDaHlhO5ju5pELGc1S1KGIjCWSnZkCldR8tC3DNDZhx2FKPl6Ci6COlwEwia\/ctaSG\/KNTGIWOI6zxgGatnGGthaTk1Dl52EoUGrXjVsYFdBMq6zs3e4rH0Kz4xNdXR5SSjlJSGkp+XAetsK67orj5IjKZ9wGSH8hV8441VbQeRVqYj9GmcyBGz12el6BMEvIWJjscDyTLrh3gbg\/hA7bG\/IFWoEHieVcL0Fga3fQZtUIvBGrA4DAHWEdWYmHNmovkcclhbSpgp39QFulyfMoKwtehAkztJTKuJ6VmqPjURtjSFB1eFWH1Yc7LQ6dAu7tRLspVXE29p+fTlt3DU5BIU4qVWEQhjVxOQJJno\/tO47JaUb5kHb4cxZFH\/xjOAXlxRYQ3maguAXxIPDq5+U3s2e6xvHBz+qA9znj+qA0r3OzF78\/m\/\/m3\/x5GWK3\/9f\/8f\/9On2j\/\/DZ+rf\/K\/\/8y+4ISevvLvD+vmDL13\/qNtPXbbJM1cS1\/MvdrRzDv0vjv8pQXvOIP9JD\/cE7a+oLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwna3zq1eknQnu9fUpheUpheUpheUpheUpheUpheUpj+Q0th+u1o6CVB+wXdvKCbF3Tzgm5e0M0LunlBN\/8+oJu\/A9z8u0vQrpCfFX85I7tCnPBbGSm\/lk30zbTs9WqNEysUXZM4hpMYDijwEhBJBF+uEHC\/esnKvn9esrJfsrJfsrJfsrJfsrK\/dtYvWdkvWdn\/qKzsr2DFb8iy\/jbI+v87\/boZGvre\/q+mYD9X+y2Z2M+J2D+hfcm9nhP5\/pG515+TmJ\/6\/\/ct9fpHOdZMY39Dhb8G6D\/nW\/8jnNtLgvVLgvV\/PAnWP1o8\/7C\/j\/GrCdn3b9X++rjgVxOy5zr\/lhOyP3X5907ILoBTEbN4znv+kQ+d\/VichUew\/T3fvn\/\/\/udb4HMLzxvoT2hNXDD+vDu9qpsx8R\/BjlUk9vhhnsjPvM9fbh60mXtP2067WZA3b3\/43ScSuJ+\/Jh1o\/589f\/f5q7983TbBO\/IvX383f1X7D26e5NWHfwLD8Hfzt4KHVQ4c8Yd\/EgTBd\/P3kwdgm3k3fgA95Uny3bved25AP7N3flfHk\/\/O9q5t3XxAYPiffvcurb\/95OP9S+H\/7Ie8bRKwU3yAf7mheXxfntrFuygOo2R+sfDuSdIqdOw38MP939t7ww\/zd6D\/EIBt6F1gp3ECpLWz+l3tV3HwcX72AGbrwUsevObB8x7a5CFPHpL4IUIeIvQhWj5E2EOEP0Srh6LyH9zc8x+CvEofgthPPDBjD4kfAgt5iLOibR5mie3Ktx+KByfJ3VvZ5o3\/0EQPjfcQVQ9Pm9mDXTWxm\/gPdh2D5jwf7JBJDVoMXbuY9TLfttXcEahdPcxoZb7Ms188AHtsHzK7e6j9uxJ\/SO0qjDMwbYXtzab0Af74JEztJ4Dls0xPkzBP59O0NzPI+eFpHczTl9hF7X\/4dPPd8wNgk+5To59HDLbN52qAajtO9WADA8jG9DP1u3tXwLZiO5u1VqV28tHzkx\/uGvXAsqruh4EfZoW\/ayIwsDD6CMSv\/Lp++DQLbtw8z7gXZA9+Os8jaPN5HLPhPzf91F3vz4bwAYfhj0CFbfLDvEY\/82X+x0\/tNtGTHDawHCCCHzQfv9L2zybrqx7KD44P7MB\/KD\/YAVDSD89\/3+DDn\/7px7p1Huq2+FETBP5Pv7sPNXpqAegqr+P7DFR+Ys8I8zuwnIBV2MmzWDMImat8nFtq8uLDu\/e4n85t\/\/D0Qg0Q0Jlif4jmpfjV1IKF6lf3FuKsfrC\/en6fktcP8aOXuy0wqua9C4yk8dnEn0tvXt9n7vXb7+LgzWeW0G+en9f0eLRD2U79N3c4\/frtX8B\/9d4uCrAYmChOvDfx24f4\/b0RPfL95u2PC++fMbb313\/95id0t67nt6yPzdvv\/KT2XzXV+EP8\/v4HGua3lI8N0GLjRm\/8t5\/IT+wfP755+\/DZr8UP4Plnxzf7vNnP+Y\/VPAB69mHApJlkPuHSwBJ58\/Z9H3tN9B2Owd\/7UP0nf\/LGfwT3f1a\/\/e7JQfoQAn9XPQn6ftarDtT62CxeF8Prh\/R95aeP8f3\/5uNcASxxUP40aw\/Vo\/258Dx9Dzmgla1fjfp9lebVmz9NgSP4iwzM6OPrLvb7+57zV3\/69iH5VdYg8YcYTOWdtX6EHzzwkz4CMZ8fgCn+Unj84eNdo\/nTlLiP+TwlVNNUMXBOQJfPdvz67fv0PtFQDDaN2E7+8l0NjNN\/fPMXf+n95fu\/WryF3n7ngomatziwc3BgH2veuH+B\/NUsxJ0kAiNCIO\/t2493TYJOk6dOo8fklzqdRYueuIrH6CsRvKL6sQAPwRee1B7itE2\/4vmuAEI+S\/QkZHEX8idyAznrt++bnIsH33uDvn0Lmv55teC3VPv4EQzgd8CAfuc9jaJ9BPYNvHUc2kBx8\/owQWgFrPKT3HbmVXnsQeF9ufwaZ3z\/Qy4z49sHZzYvv4tdXwF9J9q8pL\/zHhEIyNz++fL7RweI\/7v6r\/8a3NZv\/3z5Af1CQu8k9APyAXk7iwvM+ifKuAdqYBZfP9RvH36XvwUsb2Zr\/Zl7mE3w9du3P6s82+Trhy\/2+\/Yh\/xnHJ10\/vH5W67NhvV54i9cPr571+DMiYP2K2Nbz9gQosyN5zHLQV\/U+iKv60xq7u6G336D9xE3lT57mrq3w62ECdADMMvxZlQf7fV+B7elN+MU3gcl8D7YwtgP1JLD1+ID+BqDJeQd4\/cU3vf0BbP12dYxTHyCeN9nbh+wRzNCncvOwhAF0efgdMtvD1+3NgLKO8v5HLQJf578vZmMBTB7Q8m\/o4LkHoI20SPzGf\/34CMYOhu6N+hxf\/7n9fgZHP\/d4CPpn9d3pfbC\/IdvmsJ\/fwcw0gGp97yej\/jsafJIHuGLgTuclHN\/\/r+\/ONQCTGGmz"} 01165{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2408,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":2856,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":4284,"midstream":1,"thread_ts_usec":1654385185015621,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"hybird.rayjump.com","http": {"url":"hybird.rayjump.com\/rv\/endv4.html?mof=1&ec_id=4&mof_uid=91199&n_imp=1&unit_id=8881&sdk_version=mal_8.7.4","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001)"}}} -01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2427,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":185,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184944474,"flow_src_last_pkt_time":1654385184944474,"flow_dst_last_pkt_time":1654385185026289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":497,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":497,"flow_dst_max_l4_payload_len":5712,"flow_src_tot_l4_payload_len":497,"flow_dst_tot_l4_payload_len":108528,"midstream":1,"thread_ts_usec":1654385185026289,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36640,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":55,"flow_avg":3207.8,"flow_max":21003,"flow_stddev":4874.7,"c_to_s_min":1589,"c_to_s_avg":1589.0,"c_to_s_max":1589,"c_to_s_stddev":0.0,"s_to_c_min":55,"s_to_c_avg":3272.6,"s_to_c_max":21003,"s_to_c_stddev":4960.2},"pktlen": {"c_to_s_min":563,"c_to_s_avg":563.0,"c_to_s_max":563,"c_to_s_stddev":0.0,"s_to_c_min":1494,"s_to_c_avg":3566.9,"s_to_c_max":5778,"s_to_c_stddev":1641.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2427,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":185,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184944474,"flow_src_last_pkt_time":1654385184944474,"flow_dst_last_pkt_time":1654385185026289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":497,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":497,"flow_dst_max_l4_payload_len":5712,"flow_src_tot_l4_payload_len":497,"flow_dst_tot_l4_payload_len":108528,"midstream":1,"thread_ts_usec":1654385185026289,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36640,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":55,"flow_avg":3272.6,"flow_max":21003,"flow_stddev":4960.2,"c_to_s_min":0,"c_to_s_avg":0.0,"c_to_s_max":0,"c_to_s_stddev":0.0,"s_to_c_min":55,"s_to_c_avg":3272.6,"s_to_c_max":21003,"s_to_c_stddev":4960.2},"pktlen": {"c_to_s_min":563,"c_to_s_avg":563.0,"c_to_s_max":563,"c_to_s_stddev":0.0,"s_to_c_min":1494,"s_to_c_avg":3566.9,"s_to_c_max":5778,"s_to_c_stddev":1641.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00757{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2503,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":180,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184845262,"flow_dst_last_pkt_time":1654385185166661,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":236,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":236,"pkt_l4_len":202,"thread_ts_usec":1654385185166661,"pkt":"nLbQ0+MztKXvZygQCABFAADe9z5AACoGBubKmcQ1wKgCfgBQ5Ybmg6trug1byIAYAPOTtwAAAQEICkyTXI+9cmjoSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xDQpWcGFkbi1TdGF0dXMtQ29kZTogLTI2DQpWcGFkbi1TdGF0dXM6IE5PX0ZJTEwNClZwYWRuLVN0YXR1cy1EZXNjOiANCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI2OjI0IEdNVA0KDQo="} 00758{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2504,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":181,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184857770,"flow_dst_last_pkt_time":1654385185942149,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":236,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":236,"pkt_l4_len":202,"thread_ts_usec":1654385185942149,"pkt":"nLbQ0+MztKXvZygQCABFAADeE\/tAACoG6inKmcQ1wKgCfgBQ5Yg8Z0+pmkmYKYAYAPN5zQAAAQEICkyTX6y9cmj1SFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xDQpWcGFkbi1TdGF0dXMtQ29kZTogLTI2DQpWcGFkbi1TdGF0dXM6IE5PX0ZJTEwNClZwYWRuLVN0YXR1cy1EZXNjOiANCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI2OjI0IEdNVA0KDQo="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2505,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":188,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385229374771,"flow_src_last_pkt_time":1654385229374771,"flow_dst_last_pkt_time":1654385229374771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1440,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1440,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385229374771,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"52.29.177.177","src_port":37100,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/443-curl.pcap.out b/test/results/443-curl.pcap.out index fb95e1355..c67b84acb 100644 --- a/test/results/443-curl.pcap.out +++ b/test/results/443-curl.pcap.out @@ -7,7 +7,7 @@ 01046{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120512991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581113120522725,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01106{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120563403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581113120563403,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01427{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120564527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581113120564527,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}} -01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121447770,"flow_dst_last_pkt_time":1581113121447985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":899,"flow_dst_tot_l4_payload_len":10128,"midstream":0,"thread_ts_usec":1581113121447985,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":78649296.0,"flow_max":2514830251,"flow_stddev":437551040.0,"c_to_s_min":3,"c_to_s_avg":147988448.0,"c_to_s_max":2514830251,"c_to_s_stddev":591710464.0,"s_to_c_min":2,"s_to_c_avg":64912.4,"s_to_c_max":784064,"s_to_c_stddev":193129.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":119.6,"c_to_s_max":583,"c_to_s_stddev":120.8,"s_to_c_min":66,"s_to_c_avg":741.7,"s_to_c_max":1506,"s_to_c_stddev":666.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} +01460{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121447770,"flow_dst_last_pkt_time":1581113121447985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":899,"flow_dst_tot_l4_payload_len":10128,"midstream":0,"thread_ts_usec":1581113121447985,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":62811.5,"flow_max":784064,"flow_stddev":190271.5,"c_to_s_min":3,"c_to_s_avg":60841.9,"c_to_s_max":784044,"c_to_s_stddev":187531.4,"s_to_c_min":2,"s_to_c_avg":64912.4,"s_to_c_max":784064,"s_to_c_stddev":193129.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":119.6,"c_to_s_max":583,"c_to_s_stddev":120.8,"s_to_c_min":66,"s_to_c_avg":741.7,"s_to_c_max":1506,"s_to_c_stddev":666.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 01033{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":58,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121570392,"flow_dst_last_pkt_time":1581113121570364,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":65886,"midstream":0,"thread_ts_usec":1581113121570392,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00564{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","packets-captured":109,"packets-processed":109,"total-skipped-flows":0,"total-l4-payload-len":66816,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581113121570392} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -23,5 +23,5 @@ ~~ total allocations/frees...: 121551/121551 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 479 chars -~~ json string max len.......: 1486 chars -~~ json string avg len.......: 965 chars +~~ json string max len.......: 1465 chars +~~ json string avg len.......: 956 chars diff --git a/test/results/443-firefox.pcap.out b/test/results/443-firefox.pcap.out index 11bf3a15a..9ab5dfc1c 100644 --- a/test/results/443-firefox.pcap.out +++ b/test/results/443-firefox.pcap.out @@ -7,7 +7,7 @@ 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488079587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581109488081517,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488123692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581109488123692,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01493{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488123785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581109488123785,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}} -01487{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109490061876,"flow_dst_last_pkt_time":1581109490062194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1047,"flow_dst_tot_l4_payload_len":13867,"midstream":0,"thread_ts_usec":1581109490062194,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":99418944.0,"flow_max":3177364331,"flow_stddev":552815424.0,"c_to_s_min":3,"c_to_s_avg":211959008.0,"c_to_s_max":3177364331,"c_to_s_stddev":792537984.0,"s_to_c_min":2,"s_to_c_avg":118888.9,"s_to_c_max":1655690,"s_to_c_stddev":388002.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":136.6,"c_to_s_max":583,"c_to_s_stddev":139.0,"s_to_c_min":66,"s_to_c_avg":882.2,"s_to_c_max":1506,"s_to_c_stddev":650.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} +01470{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109490061876,"flow_dst_last_pkt_time":1581109490062194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1047,"flow_dst_tot_l4_payload_len":13867,"midstream":0,"thread_ts_usec":1581109490062194,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":130384.0,"flow_max":1655693,"flow_stddev":403949.6,"c_to_s_min":3,"c_to_s_avg":144342.4,"c_to_s_max":1655693,"c_to_s_stddev":422084.9,"s_to_c_min":2,"s_to_c_avg":118888.9,"s_to_c_max":1655690,"s_to_c_stddev":388002.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":136.6,"c_to_s_max":583,"c_to_s_stddev":139.0,"s_to_c_min":66,"s_to_c_avg":882.2,"s_to_c_max":1506,"s_to_c_stddev":650.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 01040{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":316,"flow_dst_packets_processed":351,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109496480905,"flow_dst_last_pkt_time":1581109496480819,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":7675,"flow_dst_tot_l4_payload_len":406398,"midstream":0,"thread_ts_usec":1581109496480905,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","packets-captured":667,"packets-processed":667,"total-skipped-flows":0,"total-l4-payload-len":414073,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581109496480905} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/443-git.pcap.out b/test/results/443-git.pcap.out index ae04e2abe..279aace4a 100644 --- a/test/results/443-git.pcap.out +++ b/test/results/443-git.pcap.out @@ -7,7 +7,7 @@ 01053{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657744320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581113657751016,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01113{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657863699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1424,"midstream":0,"thread_ts_usec":1581113657863699,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 01536{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657863749,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3550,"midstream":0,"thread_ts_usec":1581113657863749,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","server_names":"github.com,www.github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com","alpn":"http\/1.1","fingerprint":"CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84"}}} -01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658139408,"flow_dst_last_pkt_time":1581113658139371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":850,"flow_dst_tot_l4_payload_len":8277,"midstream":0,"thread_ts_usec":1581113658139408,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":95406280.0,"flow_max":3051989805,"flow_stddev":531018080.0,"c_to_s_min":2,"c_to_s_avg":179558544.0,"c_to_s_max":3051989805,"c_to_s_stddev":718107776.0,"s_to_c_min":2,"s_to_c_avg":33701.2,"s_to_c_max":143502,"s_to_c_stddev":55032.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":116.7,"c_to_s_max":583,"c_to_s_stddev":128.9,"s_to_c_min":74,"s_to_c_avg":618.3,"s_to_c_max":1490,"s_to_c_stddev":554.7}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} +01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658139408,"flow_dst_last_pkt_time":1581113658139371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":850,"flow_dst_tot_l4_payload_len":8277,"midstream":0,"thread_ts_usec":1581113658139408,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":32615.3,"flow_max":143502,"flow_stddev":53225.8,"c_to_s_min":2,"c_to_s_avg":31597.2,"c_to_s_max":142911,"c_to_s_stddev":51453.4,"s_to_c_min":2,"s_to_c_avg":33701.2,"s_to_c_max":143502,"s_to_c_stddev":55032.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":116.7,"c_to_s_max":583,"c_to_s_stddev":128.9,"s_to_c_min":74,"s_to_c_avg":618.3,"s_to_c_max":1490,"s_to_c_stddev":554.7}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} 01044{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":35,"flow_dst_packets_processed":35,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658456571,"flow_dst_last_pkt_time":1581113658456501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":881,"flow_dst_tot_l4_payload_len":31704,"midstream":0,"thread_ts_usec":1581113658456571,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","packets-captured":70,"packets-processed":70,"total-skipped-flows":0,"total-l4-payload-len":32585,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581113658456571} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/443-opvn.pcap.out b/test/results/443-opvn.pcap.out index 89232502e..4cecd641d 100644 --- a/test/results/443-opvn.pcap.out +++ b/test/results/443-opvn.pcap.out @@ -5,7 +5,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1581153175528454,"flow_dst_last_pkt_time":1581153175550065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1581153175550065,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADYGAkzADMBnwKgBVASqzu1gWZU1YGtar6AScSBwigAAAgQFrAQCCAocQO0VFg2AOQEDAwY="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1581153175550155,"flow_dst_last_pkt_time":1581153175550065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1581153175550155,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+FPAqAFUwAzAZ87tBKpga1qvYFmVNoAQECwALgAAAQEIChYNgE0cQO0V"} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153176603974,"flow_dst_last_pkt_time":1581153176626109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1581153176626109,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01368{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153177970762,"flow_dst_last_pkt_time":1581153177992252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":3196,"midstream":0,"thread_ts_usec":1581153177992252,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":122502648.0,"flow_max":3915178742,"flow_stddev":681184832.0,"c_to_s_min":4,"c_to_s_avg":230448288.0,"c_to_s_max":3915178742,"c_to_s_stddev":921182656.0,"s_to_c_min":174,"s_to_c_avg":164253.2,"s_to_c_max":1122501,"s_to_c_stddev":367033.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":269.6,"c_to_s_max":1506,"c_to_s_stddev":378.3,"s_to_c_min":66,"s_to_c_avg":279.6,"s_to_c_max":1506,"s_to_c_stddev":438.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153177970762,"flow_dst_last_pkt_time":1581153177992252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":3196,"midstream":0,"thread_ts_usec":1581153177992252,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":158261.5,"flow_max":1160659,"flow_stddev":364282.7,"c_to_s_min":4,"c_to_s_avg":152644.2,"c_to_s_max":1160659,"c_to_s_stddev":361594.9,"s_to_c_min":174,"s_to_c_avg":164253.2,"s_to_c_max":1122501,"s_to_c_stddev":367033.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":269.6,"c_to_s_max":1506,"c_to_s_stddev":378.3,"s_to_c_min":66,"s_to_c_avg":279.6,"s_to_c_max":1506,"s_to_c_stddev":438.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00913{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":46,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":21,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153184491293,"flow_dst_last_pkt_time":1581153184491180,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3974,"flow_dst_tot_l4_payload_len":4543,"midstream":0,"thread_ts_usec":1581153184491293,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":46,"source":"443-opvn.pcap","alias":"nDPId-test","packets-captured":46,"packets-processed":46,"total-skipped-flows":0,"total-l4-payload-len":8517,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1581153184491293} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121481/121481 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 479 chars -~~ json string max len.......: 1373 chars -~~ json string avg len.......: 890 chars +~~ json string max len.......: 1355 chars +~~ json string avg len.......: 882 chars diff --git a/test/results/443-safari.pcap.out b/test/results/443-safari.pcap.out index f14d2a43c..130ccfc96 100644 --- a/test/results/443-safari.pcap.out +++ b/test/results/443-safari.pcap.out @@ -7,7 +7,7 @@ 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359639845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581109359641072,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01150{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359683686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581109359683686,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01471{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359683783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581109359683783,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}} -01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360694080,"flow_dst_last_pkt_time":1581109360694172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":9828,"midstream":0,"thread_ts_usec":1581109360694172,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":95347184.0,"flow_max":3048924894,"flow_stddev":530478240.0,"c_to_s_min":4,"c_to_s_avg":179412784.0,"c_to_s_max":3048924894,"c_to_s_stddev":717378048.0,"s_to_c_min":2,"s_to_c_avg":72835.1,"s_to_c_max":695603,"s_to_c_stddev":178679.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":113.6,"c_to_s_max":394,"c_to_s_stddev":89.6,"s_to_c_min":66,"s_to_c_avg":721.7,"s_to_c_max":1506,"s_to_c_stddev":680.0}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} +01460{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360694080,"flow_dst_last_pkt_time":1581109360694172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":9828,"midstream":0,"thread_ts_usec":1581109360694172,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":70482.6,"flow_max":695650,"flow_stddev":174729.3,"c_to_s_min":4,"c_to_s_avg":68277.1,"c_to_s_max":695650,"c_to_s_stddev":170914.2,"s_to_c_min":2,"s_to_c_avg":72835.1,"s_to_c_max":695603,"s_to_c_stddev":178679.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":113.6,"c_to_s_max":394,"c_to_s_stddev":89.6,"s_to_c_min":66,"s_to_c_avg":721.7,"s_to_c_max":1506,"s_to_c_stddev":680.0}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 01035{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":20,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360696066,"flow_dst_last_pkt_time":1581109360695416,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":16406,"midstream":0,"thread_ts_usec":1581109360696066,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","packets-captured":41,"packets-processed":41,"total-skipped-flows":0,"total-l4-payload-len":17203,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581109360696066} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -23,5 +23,5 @@ ~~ total allocations/frees...: 121483/121483 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 481 chars -~~ json string max len.......: 1486 chars -~~ json string avg len.......: 968 chars +~~ json string max len.......: 1476 chars +~~ json string avg len.......: 964 chars diff --git a/test/results/6in4tunnel.pcap.out b/test/results/6in4tunnel.pcap.out index d32b85f7e..23d9bfeb5 100644 --- a/test/results/6in4tunnel.pcap.out +++ b/test/results/6in4tunnel.pcap.out @@ -4,7 +4,7 @@ 00628{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1444236893450580,"flow_dst_last_pkt_time":1444236893450580,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1444236893450580,"pkt":"ACKQ3jvZAAAkzoE0CABFAAB8tYFAAP8pFzeuA0kYuGn\/GmAAAAAAQDo\/IAEEcB8XAT8+lw7\/\/nNN7CYEqIAAAQAgAAAAAAIksAGAAOC9XY8BWl1OFVYAAAAAqN0GAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} 00627{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1444236893450580,"flow_dst_last_pkt_time":1444236893555356,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1444236893555356,"pkt":"AAAkzoE0ACKQ3jvZCABFAAB8xlZAAPgpDWK4af8argNJGGAAAAAAQDo3JgSogAABACAAAAAAAiSwASABBHAfFwE\/PpcO\/\/5zTeyBAN+9XY8BWl1OFVYAAAAAqN0GAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} 00711{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1444236894230722,"flow_dst_last_pkt_time":1444236893555356,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":200,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":200,"pkt_l4_len":166,"thread_ts_usec":1444236894230722,"pkt":"ACKQ3jvZAAAkzoE0CABFAAC6tdFAAP8pFqmuA0kYuGn\/GmAAAAAAfjpAIAEEcB8WAT8AAAAAAAAAAiYEqIAAAQAgAAAAAAIksAEBA9KAAAAAAGAAAAAATgY2JgSogAABACAAAAAAAiSwASABBHAfFwE\/JaMykhb5LOAD4exLUvt9fRlwFpiAGABJEPkAAAEBCAq0MT0ACHX6xhcDAwApoxPniAjxmmXGKxqxVV6nOvla9FPS7Dtl2rRDlmVhpOKK9OFyB\/XihP8="} -01192{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":105,"flow_avg":81747112.0,"flow_max":2600562756,"flow_stddev":452392864.0,"c_to_s_min":140,"c_to_s_avg":144902224.0,"c_to_s_max":2600562756,"c_to_s_stddev":595585344.0,"s_to_c_min":105,"s_to_c_avg":547686.2,"s_to_c_max":1005120,"s_to_c_stddev":461059.8},"pktlen": {"c_to_s_min":106,"c_to_s_avg":152.2,"c_to_s_max":310,"c_to_s_stddev":53.2,"s_to_c_min":106,"s_to_c_avg":376.6,"s_to_c_max":1911,"s_to_c_stddev":550.8}}} +01175{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":105,"flow_avg":494998.2,"flow_max":1005120,"flow_stddev":454962.0,"c_to_s_min":140,"c_to_s_avg":451608.1,"c_to_s_max":1001888,"c_to_s_stddev":445220.9,"s_to_c_min":105,"s_to_c_avg":547686.2,"s_to_c_max":1005120,"s_to_c_stddev":461059.8},"pktlen": {"c_to_s_min":106,"c_to_s_avg":152.2,"c_to_s_max":310,"c_to_s_stddev":53.2,"s_to_c_min":106,"s_to_c_avg":376.6,"s_to_c_max":1911,"s_to_c_stddev":550.8}}} 00779{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00818{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":66,"flow_dst_packets_processed":61,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236915478638,"flow_dst_last_pkt_time":1444236915586195,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1470,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":11600,"flow_dst_tot_l4_payload_len":24375,"midstream":0,"thread_ts_usec":1444236915586195,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":127,"source":"6in4tunnel.pcap","alias":"nDPId-test","packets-captured":127,"packets-processed":127,"total-skipped-flows":0,"total-l4-payload-len":35975,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1444236915586195} @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121561/121561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 481 chars -~~ json string max len.......: 1197 chars -~~ json string avg len.......: 823 chars +~~ json string max len.......: 1180 chars +~~ json string avg len.......: 815 chars diff --git a/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out index bc56bb459..8a84bc9ec 100644 --- a/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out +++ b/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out @@ -20,14 +20,14 @@ 00912{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1228468958657176,"flow_dst_last_pkt_time":1228468958718407,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":339,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":339,"pkt_l4_len":305,"thread_ts_usec":1228468958718407,"pkt":"AAglAXLkABZGR+C\/CABFuAFFHeUAAD0RBJ7AqGTbioSpZRPEE8QBMRfZU0lQLzIuMCAxMDAgVHJ5aW5nDQpDYWxsLUlEOiBTRDQ5MDk3MDEtOWZmMTFiZjcyZWI0YTM0N2M5Mjk3NGQ4ZmJiYzI2NjgtYW84bzNpMQ0KQ29udGVudC1MZW5ndGg6IDANCkNTZXE6IDEgSU5WSVRFDQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9U0Q0OTA5NzAxLTAwZTlkNDc4DQpUbzogPHNpcDowNjE5NjMxNzdAaXRhbHRlbC5pdDt1c2VyPXBob25lPg0KVmlhOiBTSVAvMi4wL1VEUCAxMzguMTMyLjE2OS4xMDE6NTA2MDticmFuY2g9ejloRzRiS2Z2MmY0MDEwNzg3aDNhOHExMjgwLjENCg0K"} 01088{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1228468958657176,"flow_dst_last_pkt_time":1228468958819466,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":469,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":469,"pkt_l4_len":435,"thread_ts_usec":1228468958819466,"pkt":"AAglAXLkABZGR+C\/CABFuAHHHeYAAD0RBBvAqGTbioSpZRPEE8QBs3VMU0lQLzIuMCAxODAgUmluZ2luZw0KQ2FsbC1JRDogU0Q0OTA5NzAxLTlmZjExYmY3MmViNGEzNDdjOTI5NzRkOGZiYmMyNjY4LWFvOG8zaTENCkNvbnRhY3Q6IDxzaXA6MDYxOTYzMTc3QDE5Mi4xNjguMTAwLjIxOTo1MDYwPg0KQ29udGVudC1MZW5ndGg6IDANCkNTZXE6IDEgSU5WSVRFDQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9U0Q0OTA5NzAxLTAwZTlkNDc4DQpTZXJ2ZXI6IEFyY29yL0FyY29yLTEuMDIuMDA1dDINClRvOiA8c2lwOjA2MTk2MzE3N0BpdGFsdGVsLml0O3VzZXI9cGhvbmU+O3RhZz02MTcyNjM2MTY0Nzk2MTZFLTMzMTcxNTUyMC01MzM2Zjc4NS0xODc0MTAyMDUNClZpYTogU0lQLzIuMC9VRFAgMTM4LjEzMi4xNjkuMTAxOjUwNjA7YnJhbmNoPXo5aEc0YktmdjJmNDAxMDc4N2gzYThxMTI4MC4xDQoNCg=="} 01111{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1228468958651179,"flow_dst_last_pkt_time":1228468958820487,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":488,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":488,"pkt_l4_len":454,"thread_ts_usec":1228468958820487,"pkt":"ABEKVkXQAAglAXLqCABFAAHaAABAAIARbCEKIzxkCiM8SBPEE8QBxvK8U0lQLzIuMCAxODAgUmluZ2luZw0KVmlhOiBTSVAvMi4wL1VEUCAxMC4zNS42MC43Mjo1MDYwO2JyYW5jaD16OWhHNGJLLmlJaUlpSS4wYTIzMjgxOS5lOWQ0YmQNClRvOiA8c2lwOjA2MTk2MzE3N0BpdGFsdGVsLml0O3VzZXI9cGhvbmU+O3RhZz1TRDQ5MDk3OTktNjE3MjYzNjE2NDc5NjE2RS0zMzE3MTU1MjAtNTMzNmY3ODUtMTg3NDEwMjA1DQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9MDBlOWQ0NzgNCkNhbGwtSUQ6IDAwZTlkNGE1MDBlOWQ0OC0wMDE1LTAwMDEtMDAwMC0wMDAwQDEwLjM1LjQwLjI1DQpDU2VxOiAxIElOVklURQ0KQ29udGFjdDogPHNpcDowNjE5NjMxNzctaWtodXVlcDViaTEyM0AxMC4zNS42MC4xMDA6NTA2MDt0cmFuc3BvcnQ9dWRwPg0KQ29udGVudC1MZW5ndGg6IDANClNlcnZlcjogQXJjb3IvQXJjb3ItMS4wMi4wMDV0Mg0KDQo="} -01378{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468963851351,"flow_dst_last_pkt_time":1228468963854227,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":372,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":3039,"midstream":0,"thread_ts_usec":1228468963854227,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":30288624.0,"flow_max":916792251,"flow_stddev":159233296.0,"c_to_s_min":15,"c_to_s_avg":58938292.0,"c_to_s_max":916792251,"c_to_s_stddev":221505744.0,"s_to_c_min":142,"s_to_c_avg":1638956.5,"s_to_c_max":4370196,"s_to_c_stddev":2021502.6},"pktlen": {"c_to_s_min":87,"c_to_s_avg":105.8,"c_to_s_max":376,"c_to_s_stddev":69.8,"s_to_c_min":101,"s_to_c_avg":231.9,"s_to_c_max":414,"s_to_c_stddev":82.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01368{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468963851351,"flow_dst_last_pkt_time":1228468963854227,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":372,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":3039,"midstream":0,"thread_ts_usec":1228468963854227,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":1691733.2,"flow_max":4370196,"flow_stddev":2031243.2,"c_to_s_min":15,"c_to_s_avg":1748028.5,"c_to_s_max":4370170,"c_to_s_stddev":2040077.8,"s_to_c_min":142,"s_to_c_avg":1638956.5,"s_to_c_max":4370196,"s_to_c_stddev":2021502.6},"pktlen": {"c_to_s_min":87,"c_to_s_avg":105.8,"c_to_s_max":376,"c_to_s_stddev":69.8,"s_to_c_min":101,"s_to_c_avg":231.9,"s_to_c_max":414,"s_to_c_stddev":82.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00778{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468965434208,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965434208,"pkt":"ABgYesP\/AAglAXLqCABFuADIHecAAD0RDLUKIzxkChcBNDzcQXQAtEC7gAgAAGfPFaAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="} 00880{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468965434208,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1228468965455031,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965455031,"pkt":"ABgYesP\/AAglAXLqCABFuADIHegAAD0RDLQKIzxkChcBNDzcQXQAtEAagAgAAWfPFkAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="} 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1228468965474173,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965474173,"pkt":"ABgYesP\/AAglAXLqCABFuADIHekAAD0RDLMKIzxkChcBNDzcQXQAtD95gAgAAmfPFuAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="} -01333{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":90,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468966054624,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468966054624,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1438,"flow_avg":68781.4,"flow_max":1580590,"flow_stddev":271571.0,"c_to_s_min":1438,"c_to_s_avg":68781.4,"c_to_s_max":1580590,"c_to_s_stddev":271571.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01378{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3128,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002203721,"flow_dst_last_pkt_time":1228469002181512,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":9868,"flow_dst_tot_l4_payload_len":8158,"midstream":0,"thread_ts_usec":1228469002203721,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":263,"flow_avg":2831868.0,"flow_max":27628387,"flow_stddev":6788177.0,"c_to_s_min":344,"c_to_s_avg":2943136.8,"c_to_s_max":27628387,"c_to_s_stddev":6782602.5,"s_to_c_min":263,"s_to_c_avg":2720599.2,"s_to_c_max":27585469,"s_to_c_stddev":6791925.0},"pktlen": {"c_to_s_min":425,"c_to_s_avg":658.8,"c_to_s_max":923,"c_to_s_stddev":215.1,"s_to_c_min":304,"s_to_c_avg":551.9,"s_to_c_max":894,"s_to_c_stddev":194.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01325{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":90,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468966054624,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468966054624,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1438,"flow_avg":20013.4,"flow_max":39530,"flow_stddev":4863.7,"c_to_s_min":1438,"c_to_s_avg":20013.4,"c_to_s_max":39530,"c_to_s_stddev":4863.7,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01378{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3128,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002203721,"flow_dst_last_pkt_time":1228469002181512,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":9868,"flow_dst_tot_l4_payload_len":8158,"midstream":0,"thread_ts_usec":1228469002203721,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":263,"flow_avg":2809077.0,"flow_max":27628387,"flow_stddev":6895590.0,"c_to_s_min":344,"c_to_s_avg":2903453.2,"c_to_s_max":27628387,"c_to_s_stddev":7003243.0,"s_to_c_min":263,"s_to_c_avg":2720599.2,"s_to_c_max":27585469,"s_to_c_stddev":6791925.0},"pktlen": {"c_to_s_min":425,"c_to_s_avg":658.8,"c_to_s_max":923,"c_to_s_stddev":215.1,"s_to_c_min":304,"s_to_c_avg":551.9,"s_to_c_max":894,"s_to_c_stddev":194.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00936{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7217,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":3848,"flow_dst_packets_processed":3147,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228469042419324,"flow_dst_last_pkt_time":1228469042392141,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":661700,"flow_dst_tot_l4_payload_len":438699,"midstream":0,"thread_ts_usec":1228469046884194,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7217,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":65,"flow_dst_packets_processed":65,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228469046881931,"flow_dst_last_pkt_time":1228469046884194,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":541,"flow_dst_max_l4_payload_len":519,"flow_src_tot_l4_payload_len":5058,"flow_dst_tot_l4_payload_len":13052,"midstream":0,"thread_ts_usec":1228469046884194,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00936{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7217,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":12,"flow_first_seen":1228468958657176,"flow_src_last_pkt_time":1228469042380433,"flow_dst_last_pkt_time":1228469042442455,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":338,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":884,"flow_dst_max_l4_payload_len":833,"flow_src_tot_l4_payload_len":6036,"flow_dst_tot_l4_payload_len":6141,"midstream":0,"thread_ts_usec":1228469046884194,"l3_proto":"ip4","src_ip":"138.132.169.101","dst_ip":"192.168.100.219","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} diff --git a/test/results/KakaoTalk_chat.pcap.out b/test/results/KakaoTalk_chat.pcap.out index 1102ba420..89333d329 100644 --- a/test/results/KakaoTalk_chat.pcap.out +++ b/test/results/KakaoTalk_chat.pcap.out @@ -151,7 +151,7 @@ 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069031611243,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069031611243,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":113,"pkt_l4_len":77,"thread_ts_usec":1430069031611243,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAGHTnUAAQAbVXgoYUrw2\/\/3H5i8UZ+uf0VkGiXPCgBgCYxkQAAABAQgKAAKTKDTnT0kXAwEAKNOo\/lFrrxEtj1oyrBEybZXAvF7754xqLjvuYfV0gCpDpumAA3\/lW60="} 01016{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069031611243,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069031611243,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069031042945,"flow_src_last_pkt_time":1430069031534339,"flow_dst_last_pkt_time":1430069031721991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":997,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":2489,"flow_dst_tot_l4_payload_len":4397,"midstream":0,"thread_ts_usec":1430069031721991,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":92,"flow_avg":37388.8,"flow_max":174316,"flow_stddev":42855.5,"c_to_s_min":92,"c_to_s_avg":32337.2,"c_to_s_max":123993,"c_to_s_stddev":37573.2,"s_to_c_min":671,"s_to_c_avg":42440.4,"s_to_c_max":174316,"s_to_c_stddev":47014.9},"pktlen": {"c_to_s_min":56,"c_to_s_avg":212.8,"c_to_s_max":1053,"c_to_s_stddev":311.3,"s_to_c_min":56,"s_to_c_avg":331.3,"s_to_c_max":1336,"s_to_c_stddev":442.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069031042945,"flow_src_last_pkt_time":1430069031534339,"flow_dst_last_pkt_time":1430069031721991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":997,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":2489,"flow_dst_tot_l4_payload_len":4397,"midstream":0,"thread_ts_usec":1430069031721991,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":92,"flow_avg":37756.1,"flow_max":174316,"flow_stddev":43491.6,"c_to_s_min":92,"c_to_s_avg":32759.6,"c_to_s_max":123993,"c_to_s_stddev":38768.6,"s_to_c_min":671,"s_to_c_avg":42440.4,"s_to_c_max":174316,"s_to_c_stddev":47014.9},"pktlen": {"c_to_s_min":56,"c_to_s_avg":212.8,"c_to_s_max":1053,"c_to_s_stddev":311.3,"s_to_c_min":56,"s_to_c_avg":331.3,"s_to_c_max":1336,"s_to_c_stddev":442.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069035398200,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035398200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069035398200,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":42332,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035398200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069035398200,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAChV8UAAQAbFkwoYUrzSZ\/APpVwBu+YrTKNirTiWUBFpAB9mAAA="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035537940,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069035537940,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACgkaUAAjgapG9Jn8A8KGFK8AbulXGKtOJbmK0ykUBCkj3bOAAA="} @@ -165,7 +165,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1430069035967627,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1430069036008002,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACxGQkAA+AZ8VB8NRFQKGFK8AbuwnWIYU8F1uP30YBIRHOshAAACBAV4"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":221,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1430069036010596,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069036010596,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACjw1kAAPwaKxAoYUrwfDURUsJ0Bu3W4\/fRiGFPCUBA5CNq2AAA="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":222,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1430069035967627,"flow_src_last_pkt_time":1430069036012946,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036012946,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3723,"flow_avg":495494.8,"flow_max":3802978,"flow_stddev":819547.3,"c_to_s_min":3723,"c_to_s_avg":553126.0,"c_to_s_max":3802978,"c_to_s_stddev":956845.4,"s_to_c_min":4089,"s_to_c_avg":421397.7,"s_to_c_max":2320373,"s_to_c_stddev":590184.1},"pktlen": {"c_to_s_min":56,"c_to_s_avg":152.1,"c_to_s_max":710,"c_to_s_stddev":160.3,"s_to_c_min":56,"s_to_c_avg":318.7,"s_to_c_max":1336,"s_to_c_stddev":484.7}}} +01219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3723,"flow_avg":501416.6,"flow_max":3802978,"flow_stddev":831986.8,"c_to_s_min":3723,"c_to_s_avg":567314.6,"c_to_s_max":3802978,"c_to_s_stddev":982743.9,"s_to_c_min":4089,"s_to_c_avg":421397.7,"s_to_c_max":2320373,"s_to_c_stddev":590184.1},"pktlen": {"c_to_s_min":56,"c_to_s_avg":152.1,"c_to_s_max":710,"c_to_s_stddev":160.3,"s_to_c_min":56,"s_to_c_avg":318.7,"s_to_c_max":1336,"s_to_c_stddev":484.7}}} 02108{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":228,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036068122,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1430069036068122,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwqSkAAPwalnwoYUryt\/GECircBu1PEJ3oAAAAAoAI5CI51AAACBAV4BAIICgALDTAAAAAAAQMDBw=="} @@ -187,7 +187,7 @@ 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069060011328,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069060011328,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":83,"pkt_l4_len":47,"thread_ts_usec":1430069060011328,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAENCkUAAQAbmZgoYUrzYOtyuwEEBuxTXAEVlWZivUBiMAAFrAAAVAwEAFnnuS9reX0mqADPiihp3NglZFsDnKQA="} 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069060011328,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069060011328,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01614{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069064769263,"flow_dst_last_pkt_time":1430069064804816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1362,"flow_dst_tot_l4_payload_len":3690,"midstream":0,"thread_ts_usec":1430069064804816,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":122,"flow_avg":1795768.8,"flow_max":27030701,"flow_stddev":6505051.0,"c_to_s_min":122,"c_to_s_avg":1795494.0,"c_to_s_max":26937805,"c_to_s_stddev":6493542.0,"s_to_c_min":183,"s_to_c_avg":1796043.4,"s_to_c_max":27030701,"s_to_c_stddev":6516540.5},"pktlen": {"c_to_s_min":56,"c_to_s_avg":142.4,"c_to_s_max":578,"c_to_s_stddev":138.7,"s_to_c_min":56,"s_to_c_avg":287.1,"s_to_c_max":1336,"s_to_c_stddev":461.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01614{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069064769263,"flow_dst_last_pkt_time":1430069064804816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1362,"flow_dst_tot_l4_payload_len":3690,"midstream":0,"thread_ts_usec":1430069064804816,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":122,"flow_avg":1852833.4,"flow_max":27030701,"flow_stddev":6601250.5,"c_to_s_min":122,"c_to_s_avg":1913409.4,"c_to_s_max":26937805,"c_to_s_stddev":6689894.5,"s_to_c_min":183,"s_to_c_avg":1796043.4,"s_to_c_max":27030701,"s_to_c_stddev":6516540.5},"pktlen": {"c_to_s_min":56,"c_to_s_avg":142.4,"c_to_s_max":578,"c_to_s_stddev":138.7,"s_to_c_min":56,"s_to_c_avg":287.1,"s_to_c_max":1336,"s_to_c_stddev":461.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":341,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1430069072945990,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1430069072945990,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADTTnkAAQAbVigoYUrw2\/\/3H5i8UZ+uf0YYGiXPCgBQCY5HBAAABAQgKAAKjTTTnT0k="} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":342,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069072986762,"flow_src_last_pkt_time":1430069072986762,"flow_dst_last_pkt_time":1430069072986762,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069072986762,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58964,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1430069072986762,"flow_dst_last_pkt_time":1430069072986762,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1430069072986762,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwsMEAAQAZ88QoYUrw2\/\/3H5lQUZzqvj2AAAAAAoAI2sJHJAAACBAV4BAIICgACo1AAAAAAAQMDBQ=="} diff --git a/test/results/KakaoTalk_talk.pcap.out b/test/results/KakaoTalk_talk.pcap.out index 2e365b803..debf9ae0b 100644 --- a/test/results/KakaoTalk_talk.pcap.out +++ b/test/results/KakaoTalk_talk.pcap.out @@ -59,8 +59,8 @@ 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1430069171998328,"flow_dst_last_pkt_time":1430069171127448,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069171998328,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAH4AAEAAPxHbJAoYUrwByQGuLDlaBQBqX6qByAAMC4ZVGUMDyNdZMqzZvFL5masXDZVA6JQCTSwYzII6r0J+H6ebHDpiG6\/AGpupgF2zzgl2ppSiLVPnYiD98U8UjOQ2fRfyw\/ugiovyQFT+lfaAAAACkQQ8eHVaWMSL\/A=="} 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1430069172038153,"flow_dst_last_pkt_time":1430069170975714,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069172038153,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAH4AAEAAQBHaJAoYUrwByQGuKB1aBwBqXmKByAAMVJql2trT+4JMtrXIu\/DNYLUyrcCH4nJIkwVlTlKbwLjRHdwKTf1t+cEG2dNtu5tj5fpNWxpJ1GyPSnYq1Tkhei6L7QH9KpD9dMR2BEbVSkSAAAACiCDm5WucO1eQLg=="} 00644{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":141,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1430069172038153,"flow_dst_last_pkt_time":1430069172127570,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069172127570,"pkt":"AAACEgAAAAAAAAAAAAAIAEUoAH4AAEAAGhH\/\/AHJAa4KGFK8WgcoHQBqY8SByAAMC4ZVGUMDyNdZMqzZvFL5masXDZVA6JQCTSwYzII6r0J+H6ebHDpiG6\/AGpupgF2zzgl2ppSiLVPnYiD98U8UjOQ2fRfyw\/ugiovyQFT+lfaAAAACkQQ8eHVaWMSL\/A=="} -01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":145,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1430069171118750,"flow_src_last_pkt_time":1430069172108954,"flow_dst_last_pkt_time":1430069172193000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":56,"flow_dst_max_l4_payload_len":148,"flow_src_tot_l4_payload_len":1101,"flow_dst_tot_l4_payload_len":793,"midstream":0,"thread_ts_usec":1430069172193000,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":69365.5,"flow_max":389008,"flow_stddev":73312.8,"c_to_s_min":30,"c_to_s_avg":57272.4,"c_to_s_max":155243,"c_to_s_stddev":52660.3,"s_to_c_min":16052,"s_to_c_avg":89520.8,"s_to_c_max":389008,"s_to_c_stddev":95188.6},"pktlen": {"c_to_s_min":99,"c_to_s_avg":99.1,"c_to_s_max":100,"c_to_s_stddev":0.2,"s_to_c_min":99,"s_to_c_avg":110.1,"s_to_c_max":192,"s_to_c_stddev":25.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069171389136,"flow_src_last_pkt_time":1430069172366187,"flow_dst_last_pkt_time":1430069172379615,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":770,"midstream":0,"thread_ts_usec":1430069172379615,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4181,"flow_avg":63933.4,"flow_max":143921,"flow_stddev":37443.4,"c_to_s_min":32257,"c_to_s_avg":58632.8,"c_to_s_max":102021,"c_to_s_stddev":22291.6,"s_to_c_min":4181,"s_to_c_avg":70748.5,"s_to_c_max":143921,"s_to_c_stddev":49831.0},"pktlen": {"c_to_s_min":99,"c_to_s_avg":112.4,"c_to_s_max":192,"c_to_s_stddev":26.3,"s_to_c_min":99,"s_to_c_avg":99.0,"s_to_c_max":99,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":145,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1430069171118750,"flow_src_last_pkt_time":1430069172108954,"flow_dst_last_pkt_time":1430069172193000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":56,"flow_dst_max_l4_payload_len":148,"flow_src_tot_l4_payload_len":1101,"flow_dst_tot_l4_payload_len":793,"midstream":0,"thread_ts_usec":1430069172193000,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":66595.3,"flow_max":389008,"flow_stddev":72818.7,"c_to_s_min":30,"c_to_s_avg":52116.0,"c_to_s_max":103547,"c_to_s_stddev":48860.1,"s_to_c_min":16052,"s_to_c_avg":89520.8,"s_to_c_max":389008,"s_to_c_stddev":95188.6},"pktlen": {"c_to_s_min":99,"c_to_s_avg":99.1,"c_to_s_max":100,"c_to_s_stddev":0.2,"s_to_c_min":99,"s_to_c_avg":110.1,"s_to_c_max":192,"s_to_c_stddev":25.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069171389136,"flow_src_last_pkt_time":1430069172366187,"flow_dst_last_pkt_time":1430069172379615,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":770,"midstream":0,"thread_ts_usec":1430069172379615,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4181,"flow_avg":63468.7,"flow_max":143921,"flow_stddev":37951.6,"c_to_s_min":32257,"c_to_s_avg":57473.6,"c_to_s_max":102021,"c_to_s_stddev":22404.4,"s_to_c_min":4181,"s_to_c_avg":70748.5,"s_to_c_max":143921,"s_to_c_stddev":49831.0},"pktlen": {"c_to_s_min":99,"c_to_s_avg":112.4,"c_to_s_max":192,"c_to_s_stddev":26.3,"s_to_c_min":99,"s_to_c_avg":99.0,"s_to_c_max":99,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069180329901,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069180329901,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":83,"pkt_l4_len":47,"thread_ts_usec":1430069180329901,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAENCkkAAQAbmZQoYUrzYOtyuwEEBuxTXAEVlWZivUBiMAAFrAAAVAwEAFnnuS9reX0mqADPiihp3NglZFsDnKQA="} 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069180329901,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069180329901,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -68,9 +68,9 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1470,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1430069193291327,"flow_dst_last_pkt_time":1430069193291327,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069193291327,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACg66EAAjgYtFq38egEKGFK8AbvLm\/Ii35zxwsMTUBSkcjKfAAA="} 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2099,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069201833106,"flow_src_last_pkt_time":1430069201833106,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069201833106,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.151.233","src_port":53974,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2099,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1430069201833106,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069201833106,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOw0AAQAYrdAoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtk1IAAABAQgKAALVpswmIb5QFA=="} -01939{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2117,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069163715308,"flow_src_last_pkt_time":1430069202114386,"flow_dst_last_pkt_time":1430069181143378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":746,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2452,"flow_dst_tot_l4_payload_len":3072,"midstream":0,"thread_ts_usec":1430069202114386,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2289,"flow_avg":1760727.9,"flow_max":20336762,"flow_stddev":4095713.0,"c_to_s_min":2289,"c_to_s_avg":2161957.0,"c_to_s_max":20336762,"c_to_s_stddev":4936990.5,"s_to_c_min":4516,"s_to_c_avg":1244862.1,"s_to_c_max":8675995,"s_to_c_stddev":2555701.5},"pktlen": {"c_to_s_min":68,"c_to_s_avg":204.7,"c_to_s_max":814,"c_to_s_stddev":177.4,"s_to_c_min":68,"s_to_c_avg":288.9,"s_to_c_max":920,"s_to_c_stddev":276.5}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01939{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2117,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069163715308,"flow_src_last_pkt_time":1430069202114386,"flow_dst_last_pkt_time":1430069181143378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":746,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2452,"flow_dst_tot_l4_payload_len":3072,"midstream":0,"thread_ts_usec":1430069202114386,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2289,"flow_avg":1800875.8,"flow_max":20336762,"flow_stddev":4155046.5,"c_to_s_min":2289,"c_to_s_avg":2258769.5,"c_to_s_max":20336762,"c_to_s_stddev":5063489.5,"s_to_c_min":4516,"s_to_c_avg":1244862.1,"s_to_c_max":8675995,"s_to_c_stddev":2555701.5},"pktlen": {"c_to_s_min":68,"c_to_s_avg":204.7,"c_to_s_max":814,"c_to_s_stddev":177.4,"s_to_c_min":68,"s_to_c_avg":288.9,"s_to_c_max":920,"s_to_c_stddev":276.5}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2182,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1430069202570380,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069202570380,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOxEAAQAYrcwoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtkz+AAABAQgKAALV8MwmIb5QFA=="} -01937{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2227,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069164966834,"flow_src_last_pkt_time":1430069202329230,"flow_dst_last_pkt_time":1430069203383368,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":794,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2842,"flow_dst_tot_l4_payload_len":3488,"midstream":0,"thread_ts_usec":1430069203383368,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":183,"flow_avg":2377782.8,"flow_max":21237091,"flow_stddev":5271384.5,"c_to_s_min":183,"c_to_s_avg":2092917.5,"c_to_s_max":20472016,"c_to_s_stddev":4945938.0,"s_to_c_min":336,"s_to_c_avg":2744038.2,"s_to_c_max":21237091,"s_to_c_stddev":5641299.5},"pktlen": {"c_to_s_min":68,"c_to_s_avg":226.3,"c_to_s_max":862,"c_to_s_stddev":229.6,"s_to_c_min":68,"s_to_c_avg":319.4,"s_to_c_max":920,"s_to_c_stddev":299.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01937{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2227,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069164966834,"flow_src_last_pkt_time":1430069202329230,"flow_dst_last_pkt_time":1430069203383368,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":794,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2842,"flow_dst_tot_l4_payload_len":3488,"midstream":0,"thread_ts_usec":1430069203383368,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":183,"flow_avg":2444481.5,"flow_max":21237091,"flow_stddev":5342425.0,"c_to_s_min":183,"c_to_s_avg":2197788.0,"c_to_s_max":20472016,"c_to_s_stddev":5069842.5,"s_to_c_min":336,"s_to_c_avg":2744038.2,"s_to_c_max":21237091,"s_to_c_stddev":5641299.5},"pktlen": {"c_to_s_min":68,"c_to_s_avg":226.3,"c_to_s_max":862,"c_to_s_stddev":229.6,"s_to_c_min":68,"s_to_c_avg":319.4,"s_to_c_max":920,"s_to_c_stddev":299.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2278,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1430069204049811,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069204049811,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOxUAAQAYrcgoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtkxqAAABAQgKAALWhMwmIb5QFA=="} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2798,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069210863623,"flow_src_last_pkt_time":1430069210863623,"flow_dst_last_pkt_time":1430069210863623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069210863623,"l3_proto":"ip4","src_ip":"173.194.117.229","dst_ip":"10.24.82.188","src_port":443,"dst_port":38380,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2798,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1430069210863623,"flow_dst_last_pkt_time":1430069210863623,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069210863623,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACih+UAAjgbKWq3CdeUKGFK8AbuV7IoFQj5TpMuVUBSklweYAAA="} diff --git a/test/results/Oscar.pcap.out b/test/results/Oscar.pcap.out index 48c044734..4a5d67b62 100644 --- a/test/results/Oscar.pcap.out +++ b/test/results/Oscar.pcap.out @@ -4,7 +4,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1434606464176482,"flow_dst_last_pkt_time":1434606464176482,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1434606464176482,"pkt":"AAxCW5ILDE3pmjdICABFAABAZ9pAAEAGAAAKHh0Dsu0Y+fd9Abu9oGylAAAAALAC\/\/\/zOQAAAgQFtAEDAwUBAQgKFdAS4wAAAAAEAgAA"} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1434606464176482,"flow_dst_last_pkt_time":1434606464205135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1434606464205135,"pkt":"DE3pmjdIAAxCW5ILCABFAAAsd\/VAAG8GoM+y7Rj5Ch4dAwG7933\/L+hsvaBspmASQABaVgAAAgQFUAAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1434606464205258,"flow_dst_last_pkt_time":1434606464205135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1434606464205258,"pkt":"AAxCW5ILDE3pmjdICABFAAAo27ZAAEAGAAAKHh0Dsu0Y+fd9Abu9oGym\/y\/obVAQ\/\/\/zIQAA"} -01218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":50260740.0,"flow_max":1487966290,"flow_stddev":258601120.0,"c_to_s_min":115,"c_to_s_avg":81494208.0,"c_to_s_max":1487966290,"c_to_s_stddev":331761280.0,"s_to_c_min":3,"s_to_c_avg":4611821.5,"s_to_c_max":58215154,"s_to_c_stddev":15478863.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":115.2,"c_to_s_max":369,"c_to_s_stddev":97.6,"s_to_c_min":60,"s_to_c_avg":290.7,"s_to_c_max":1414,"s_to_c_stddev":372.1}}} +01210{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":3883141.0,"flow_max":58215154,"flow_stddev":14267685.0,"c_to_s_min":115,"c_to_s_avg":3356871.5,"c_to_s_max":58175544,"c_to_s_stddev":13299845.0,"s_to_c_min":3,"s_to_c_avg":4611821.5,"s_to_c_max":58215154,"s_to_c_stddev":15478863.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":115.2,"c_to_s_max":369,"c_to_s_stddev":97.6,"s_to_c_min":60,"s_to_c_avg":290.7,"s_to_c_max":1414,"s_to_c_stddev":372.1}}} 00866{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":71,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":38,"flow_dst_packets_processed":33,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606536630487,"flow_dst_last_pkt_time":1434606536630387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1504,"flow_dst_tot_l4_payload_len":3946,"midstream":0,"thread_ts_usec":1434606536630487,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121506/121506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 476 chars -~~ json string max len.......: 1223 chars -~~ json string avg len.......: 841 chars +~~ json string max len.......: 1215 chars +~~ json string avg len.......: 837 chars diff --git a/test/results/WebattackXSS.pcap.out b/test/results/WebattackXSS.pcap.out index 7e4f77acb..9ad1d91ed 100644 --- a/test/results/WebattackXSS.pcap.out +++ b/test/results/WebattackXSS.pcap.out @@ -34,7 +34,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1499346957283356,"flow_dst_last_pkt_time":1499346957283502,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346957283502,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQy\/7+F1DJk3pVMKAScSDJ8AAAAgQFtAQCCAoD4q86ATjdwwEDAwc="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1499346957284023,"flow_dst_last_pkt_time":1499346957283476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346957284023,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0F6xAAD4GriysEAABwKgKMsv8AFD6Ecppc0a7\/oAQAOWsxgAAAQEICgE43cMD4q86"} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1499346957284024,"flow_dst_last_pkt_time":1499346957283502,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346957284024,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0iO1AAD4GPOusEAABwKgKMsv+AFCTelUw\/hdQyoAQAOVo+AAAAQEICgE43cMD4q86"} -01475{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346956870305,"flow_src_last_pkt_time":1499346960890984,"flow_dst_last_pkt_time":1499346960891254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":7926,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":13653,"midstream":0,"thread_ts_usec":1499346960891254,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":736029.9,"flow_max":15511329,"flow_stddev":2741409.2,"c_to_s_min":4,"c_to_s_avg":976600.4,"c_to_s_max":15511329,"c_to_s_stddev":3392118.2,"s_to_c_min":124,"s_to_c_avg":335079.1,"s_to_c_max":2805230,"s_to_c_stddev":778588.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":215.0,"c_to_s_max":625,"c_to_s_stddev":187.8,"s_to_c_min":66,"s_to_c_avg":1204.4,"s_to_c_max":7992,"s_to_c_stddev":2089.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346956870305,"flow_src_last_pkt_time":1499346960890984,"flow_dst_last_pkt_time":1499346960891254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":7926,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":13653,"midstream":0,"thread_ts_usec":1499346960891254,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":259407.4,"flow_max":2805230,"flow_stddev":698816.2,"c_to_s_min":4,"c_to_s_avg":211614.7,"c_to_s_max":2804194,"c_to_s_stddev":638755.3,"s_to_c_min":124,"s_to_c_avg":335079.1,"s_to_c_max":2805230,"s_to_c_stddev":778588.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":215.0,"c_to_s_max":625,"c_to_s_stddev":187.8,"s_to_c_min":66,"s_to_c_avg":1204.4,"s_to_c_max":7992,"s_to_c_stddev":2089.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":100,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603214,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346976603214,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603214,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976603214,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8Un9AAD4Gc1GsEAABwKgKMsxKAFAevqLeAAAAAKACchDe8gAAAgQFtAQCCAoBOPChAAAAAAEDAwc="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603366,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976603366,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzEoKnmxhHr6i36AScSCi1wAAAgQFtAQCCAoD4sIYATjwoQEDAwc="} @@ -52,7 +52,7 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1499346976999789,"flow_dst_last_pkt_time":1499346976999944,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976999944,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzGAmGFC+ciJO0aAScSCizgAAAgQFtAQCCAoD4sJ7ATjxBAEDAwc="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1499346977000540,"flow_dst_last_pkt_time":1499346976999925,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346977000540,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0Z5JAAD4GXkasEAABwKgKMsxeAFDFSpaWtwyVpoAQAOXRDgAAAQEICgE48QQD4sJ7"} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1499346977000543,"flow_dst_last_pkt_time":1499346976999944,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346977000543,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0v9VAAD4GBgOsEAABwKgKMsxgAFByIk7RJhhQv4AQAOVB1gAAAQEICgE48QQD4sJ7"} -01474{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346977842457,"flow_dst_last_pkt_time":1499346977841725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":4344,"flow_src_tot_l4_payload_len":2998,"flow_dst_tot_l4_payload_len":14938,"midstream":0,"thread_ts_usec":1499346977842457,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":568437.0,"flow_max":15712230,"flow_stddev":2727490.5,"c_to_s_min":4,"c_to_s_avg":847573.6,"c_to_s_max":15712230,"c_to_s_stddev":3415091.0,"s_to_c_min":51,"s_to_c_avg":103209.2,"s_to_c_max":856251,"s_to_c_stddev":231302.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":216.3,"c_to_s_max":625,"c_to_s_stddev":189.3,"s_to_c_min":66,"s_to_c_avg":1311.5,"s_to_c_max":4410,"s_to_c_stddev":1460.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01466{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346977842457,"flow_dst_last_pkt_time":1499346977841725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":4344,"flow_src_tot_l4_payload_len":2998,"flow_dst_tot_l4_payload_len":14938,"midstream":0,"thread_ts_usec":1499346977842457,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":79927.5,"flow_max":856251,"flow_stddev":206521.8,"c_to_s_min":4,"c_to_s_avg":65223.3,"c_to_s_max":851698,"c_to_s_stddev":187724.1,"s_to_c_min":51,"s_to_c_avg":103209.2,"s_to_c_max":856251,"s_to_c_stddev":231302.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":216.3,"c_to_s_max":625,"c_to_s_stddev":189.3,"s_to_c_min":66,"s_to_c_avg":1311.5,"s_to_c_max":4410,"s_to_c_stddev":1460.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01218{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1499346976677111,"flow_src_last_pkt_time":1499346977863501,"flow_dst_last_pkt_time":1499346976677196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":364,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":364,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346977863501,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52300,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"205.174.165.68","http": {"url":"205.174.165.68\/dv\/dvwa\/js\/dvwaPage.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:45.0) Gecko\/20100101 Firefox\/45.0","detected_os":"Linux x86_64"}}} 01208{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1499346976999785,"flow_src_last_pkt_time":1499346977870159,"flow_dst_last_pkt_time":1499346976999925,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346977870159,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52318,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"205.174.165.68","http": {"url":"205.174.165.68\/dv\/favicon.ico","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:45.0) Gecko\/20100101 Firefox\/45.0","detected_os":"Linux x86_64"}}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":188,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499346983175773,"flow_src_last_pkt_time":1499346983175773,"flow_dst_last_pkt_time":1499346983175773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346983175773,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52386,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -192,7 +192,7 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":659,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1499347042150116,"flow_dst_last_pkt_time":1499347042150116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347042150116,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8q1JAAD4GGn6sEAABwKgKMs8MAFB23Zv2AAAAAKACchBK9gAAAgQFtAQCCAoBOTCkAAAAAAEDAwc="} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":660,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1499347042150116,"flow_dst_last_pkt_time":1499347042150244,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347042150244,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzwwb3aSHdt2b96AScSCFcgAAAgQFtAQCCAoD4wIbATkwpAEDAwc="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":661,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1499347042150994,"flow_dst_last_pkt_time":1499347042150244,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347042150994,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0q1NAAD4GGoWsEAABwKgKMs8MAFB23Zv3G92kiIAQAOUkegAAAQEICgE5MKQD4wIb"} -01571{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":665,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347033203906,"flow_src_last_pkt_time":1499347043160870,"flow_dst_last_pkt_time":1499347042153970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347043160870,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52910,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":97,"flow_avg":598956.3,"flow_max":3808906,"flow_stddev":928163.4,"c_to_s_min":845,"c_to_s_avg":486501.8,"c_to_s_max":3808060,"c_to_s_stddev":847136.2,"s_to_c_min":97,"s_to_c_avg":813642.2,"s_to_c_max":3808906,"s_to_c_stddev":1032411.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.3,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01571{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":665,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347033203906,"flow_src_last_pkt_time":1499347043160870,"flow_dst_last_pkt_time":1499347042153970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347043160870,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52910,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":97,"flow_avg":609904.1,"flow_max":3808906,"flow_stddev":940979.2,"c_to_s_min":845,"c_to_s_avg":497848.2,"c_to_s_max":3808060,"c_to_s_stddev":866497.7,"s_to_c_min":97,"s_to_c_avg":813642.2,"s_to_c_max":3808906,"s_to_c_stddev":1032411.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.3,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347043416905,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043416905,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347043416905,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53018,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043416905,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347043416905,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8okxAAD4GI4SsEAABwKgKMs8aAFDJVZOtAAAAAKACchD\/ewAAAgQFtAQCCAoBOTHhAAAAAAEDAwc="} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043417034,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347043417034,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzxosqk4zyVWTrqAScSB+QwAAAgQFtAQCCAoD4wNXATkx4QEDAwc="} @@ -360,7 +360,7 @@ 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1195,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":1,"flow_src_last_pkt_time":1499347107719375,"flow_dst_last_pkt_time":1499347107719375,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347107719375,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8GMdAAD4GrQmsEAABwKgKMtG8AFANSWhrAAAAAKACchClXQAAAgQFtAQCCAoBOXCsAAAAAAEDAwc="} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1196,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":2,"flow_src_last_pkt_time":1499347107719375,"flow_dst_last_pkt_time":1499347107719520,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347107719520,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ0byrN2AMDUlobKAScSBU8gAAAgQFtAQCCAoD40IjATlwrAEDAwc="} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1197,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":3,"flow_src_last_pkt_time":1499347107720082,"flow_dst_last_pkt_time":1499347107719520,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347107720082,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0GMhAAD4GrRCsEAABwKgKMtG8AFANSWhsqzdgDYAQAOXz+AAAAQEICgE5cK0D40Ij"} -01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1198,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347097460010,"flow_src_last_pkt_time":1499347107720768,"flow_dst_last_pkt_time":1499347107453968,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347107720768,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53584,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":127,"flow_avg":640658.2,"flow_max":4898512,"flow_stddev":1169455.9,"c_to_s_min":684,"c_to_s_avg":500338.4,"c_to_s_max":4897818,"c_to_s_stddev":1051859.8,"s_to_c_min":127,"s_to_c_avg":908541.6,"s_to_c_max":4898512,"s_to_c_stddev":1325505.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.3,"s_to_c_max":1934,"s_to_c_stddev":699.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1198,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347097460010,"flow_src_last_pkt_time":1499347107720768,"flow_dst_last_pkt_time":1499347107453968,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347107720768,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53584,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":127,"flow_avg":653377.9,"flow_max":4898512,"flow_stddev":1185987.6,"c_to_s_min":684,"c_to_s_avg":513037.9,"c_to_s_max":4897818,"c_to_s_stddev":1076263.2,"s_to_c_min":127,"s_to_c_avg":908541.6,"s_to_c_max":4898512,"s_to_c_stddev":1325505.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.3,"s_to_c_max":1934,"s_to_c_stddev":699.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":6,"flow_first_seen":1499346976677111,"flow_src_last_pkt_time":1499346982914483,"flow_dst_last_pkt_time":1499346982914560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":5330,"flow_src_tot_l4_payload_len":759,"flow_dst_tot_l4_payload_len":6093,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52300,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1499346976999785,"flow_src_last_pkt_time":1499346982906448,"flow_dst_last_pkt_time":1499346982906527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1707,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":1707,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52318,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00892{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499346976999789,"flow_src_last_pkt_time":1499346982607912,"flow_dst_last_pkt_time":1499346982607149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52320,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} @@ -577,7 +577,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1708,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":1,"flow_src_last_pkt_time":1499347172098409,"flow_dst_last_pkt_time":1499347172098409,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347172098409,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8dk5AAD4GT4KsEAABwKgKMtRaAFDNItnFAAAAAKACchAyrAAAAgQFtAQCCAoBOa+LAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1709,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":2,"flow_src_last_pkt_time":1499347172098409,"flow_dst_last_pkt_time":1499347172098530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347172098530,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1FoQ75vBzSLZxqAScSAB9QAAAgQFtAQCCAoD44ECATmviwEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1710,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":3,"flow_src_last_pkt_time":1499347172099279,"flow_dst_last_pkt_time":1499347172098530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347172099279,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0dk9AAD4GT4msEAABwKgKMtRaAFDNItnGEO+bwoAQAOWg\/AAAAQEICgE5r4sD44EC"} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1714,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347163177633,"flow_src_last_pkt_time":1499347173124164,"flow_dst_last_pkt_time":1499347172102919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347173124164,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54268,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":107,"flow_avg":598023.6,"flow_max":3827235,"flow_stddev":930415.7,"c_to_s_min":901,"c_to_s_avg":486260.5,"c_to_s_max":3826349,"c_to_s_stddev":849062.4,"s_to_c_min":107,"s_to_c_avg":811389.6,"s_to_c_max":3827235,"s_to_c_stddev":1035699.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.2,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1714,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347163177633,"flow_src_last_pkt_time":1499347173124164,"flow_dst_last_pkt_time":1499347172102919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347173124164,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54268,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":107,"flow_avg":608768.2,"flow_max":3827235,"flow_stddev":943347.2,"c_to_s_min":901,"c_to_s_avg":497326.6,"c_to_s_max":3826349,"c_to_s_stddev":868550.9,"s_to_c_min":107,"s_to_c_avg":811389.6,"s_to_c_max":3827235,"s_to_c_stddev":1035699.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.2,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1717,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347173373791,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373791,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347173373791,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54376,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1717,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":1,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373791,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347173373791,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8XK1AAD4GaSOsEAABwKgKMtRoAFDpcOxnAAAAAKACchACbwAAAgQFtAQCCAoBObDKAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1718,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":2,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373905,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347173373905,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1GhwCsiK6XDsaKAScSBElAAAAgQFtAQCCAoD44JBATmwygEDAwc="} @@ -800,7 +800,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2235,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":1,"flow_src_last_pkt_time":1499347235716450,"flow_dst_last_pkt_time":1499347235716450,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347235716450,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8wLxAAD4GBRSsEAABwKgKMtb+AFAtaC0QAAAAAKACchA+VwAAAgQFtAQCCAoBOe2sAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2236,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_src_last_pkt_time":1499347235716450,"flow_dst_last_pkt_time":1499347235716582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347235716582,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1v760xqZLWgtEaAScSBmwwAAAgQFtAQCCAoD478iATntrAEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2237,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":3,"flow_src_last_pkt_time":1499347235717314,"flow_dst_last_pkt_time":1499347235716582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347235717314,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0wL1AAD4GBRusEAABwKgKMtb+AFAtaC0R+tMamoAQAOUFywAAAQEICgE57awD478i"} -01476{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2247,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":152,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347228091325,"flow_src_last_pkt_time":1499347237016547,"flow_dst_last_pkt_time":1499347236759533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16317,"midstream":0,"thread_ts_usec":1499347237016547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54956,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":95,"flow_avg":557283.2,"flow_max":3642588,"flow_stddev":891176.6,"c_to_s_min":698,"c_to_s_avg":436421.7,"c_to_s_max":3641887,"c_to_s_stddev":808113.1,"s_to_c_min":95,"s_to_c_avg":788018.9,"s_to_c_max":3642588,"s_to_c_stddev":991229.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.1,"s_to_c_max":1935,"s_to_c_stddev":699.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01476{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2247,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":152,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347228091325,"flow_src_last_pkt_time":1499347237016547,"flow_dst_last_pkt_time":1499347236759533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16317,"midstream":0,"thread_ts_usec":1499347237016547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54956,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":95,"flow_avg":567530.0,"flow_max":3642588,"flow_stddev":903579.0,"c_to_s_min":698,"c_to_s_avg":446261.1,"c_to_s_max":3641887,"c_to_s_stddev":826841.1,"s_to_c_min":95,"s_to_c_avg":788018.9,"s_to_c_max":3642588,"s_to_c_stddev":991229.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.1,"s_to_c_max":1935,"s_to_c_stddev":699.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2253,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260432,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347238260432,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2253,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260432,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347238260432,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8N5lAAD4GjjesEAABwKgKMtcYAFCMG8exAAAAAKACchBCbAAAAgQFtAQCCAoBOfAoAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2254,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260538,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347238260538,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1xiQuLeAjBvHsqAScSA1kAAAAgQFtAQCCAoD48GeATnwKAEDAwc="} @@ -1019,7 +1019,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2770,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":1,"flow_src_last_pkt_time":1499347300263398,"flow_dst_last_pkt_time":1499347300263398,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347300263398,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8bohAAD4GV0isEAABwKgKMtmuAFBvk0I9AAAAAKACchClRQAAAgQFtAQCCAoBOiy1AAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2771,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":2,"flow_src_last_pkt_time":1499347300263398,"flow_dst_last_pkt_time":1499347300263526,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347300263526,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ2a7Gy0E5b5NCPqAScSCcEAAAAgQFtAQCCAoD4\/4rATostQEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2772,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":3,"flow_src_last_pkt_time":1499347300264292,"flow_dst_last_pkt_time":1499347300263526,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347300264292,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0bolAAD4GV0+sEAABwKgKMtmuAFBvk0I+xstBOoAQAOU7GAAAAQEICgE6LLUD4\/4r"} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2779,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":190,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347291442976,"flow_src_last_pkt_time":1499347301278351,"flow_dst_last_pkt_time":1499347300267830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16422,"midstream":0,"thread_ts_usec":1499347301278351,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55632,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":591446.1,"flow_max":3784925,"flow_stddev":923035.0,"c_to_s_min":875,"c_to_s_avg":481020.2,"c_to_s_max":3784070,"c_to_s_stddev":842107.8,"s_to_c_min":124,"s_to_c_avg":802259.4,"s_to_c_max":3784925,"s_to_c_stddev":1028096.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.6,"s_to_c_max":1935,"s_to_c_stddev":703.6}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2779,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":190,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347291442976,"flow_src_last_pkt_time":1499347301278351,"flow_dst_last_pkt_time":1499347300267830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16422,"midstream":0,"thread_ts_usec":1499347301278351,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55632,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":601942.8,"flow_max":3784925,"flow_stddev":935922.8,"c_to_s_min":875,"c_to_s_avg":491768.8,"c_to_s_max":3784070,"c_to_s_stddev":861496.7,"s_to_c_min":124,"s_to_c_avg":802259.4,"s_to_c_max":3784925,"s_to_c_stddev":1028096.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.6,"s_to_c_max":1935,"s_to_c_stddev":703.6}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2782,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347301520809,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347301520809,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55740,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2782,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_packet_id":1,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520809,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347301520809,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80Q9AAD4G9MCsEAABwKgKMtm8AFCdpvzgAAAAAKACchC7RgAAAgQFtAQCCAoBOi3vAAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2783,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_packet_id":2,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520933,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347301520933,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ2bw9W3Mnnab84aAScSAIWgAAAgQFtAQCCAoD4\/9lATot7wEDAwc="} @@ -1252,7 +1252,7 @@ 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347235716450,"flow_src_last_pkt_time":1499347241682595,"flow_dst_last_pkt_time":1499347241682043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55038,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347243683907,"flow_dst_last_pkt_time":1499347243683316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347243683907,"flow_dst_last_pkt_time":1499347243683316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3305,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1499347355229572,"flow_src_last_pkt_time":1499347365069246,"flow_dst_last_pkt_time":1499347365072209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347365072209,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56306,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":622450.1,"flow_max":4805402,"flow_stddev":1153424.1,"c_to_s_min":694,"c_to_s_avg":530303.6,"c_to_s_max":4804702,"c_to_s_stddev":1079633.0,"s_to_c_min":49,"s_to_c_avg":757125.9,"s_to_c_max":4805402,"s_to_c_stddev":1241237.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":290.4,"c_to_s_max":651,"c_to_s_stddev":245.6,"s_to_c_min":66,"s_to_c_avg":1322.2,"s_to_c_max":1934,"s_to_c_stddev":716.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3305,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1499347355229572,"flow_src_last_pkt_time":1499347365069246,"flow_dst_last_pkt_time":1499347365072209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347365072209,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56306,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":634913.3,"flow_max":4805402,"flow_stddev":1169757.4,"c_to_s_min":694,"c_to_s_avg":546648.6,"c_to_s_max":4804702,"c_to_s_stddev":1106927.0,"s_to_c_min":49,"s_to_c_avg":757125.9,"s_to_c_max":4805402,"s_to_c_stddev":1241237.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":290.4,"c_to_s_max":651,"c_to_s_stddev":245.6,"s_to_c_min":66,"s_to_c_avg":1322.2,"s_to_c_max":1934,"s_to_c_stddev":716.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3307,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347365320773,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347365320773,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56414,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3307,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_packet_id":1,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320773,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347365320773,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8CZFAAD4GvD+sEAABwKgKMtxeAFCYJmWsAAAAAKACchAXCwAAAgQFtAQCCAoBOmw9AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3308,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_packet_id":2,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320933,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347365320933,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3F6n4QiemCZlraAScSAl0wAAAgQFtAQCCAoD5D2zATpsPQEDAwc="} @@ -1481,7 +1481,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3844,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":1,"flow_src_last_pkt_time":1499347428671151,"flow_dst_last_pkt_time":1499347428671151,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347428671151,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8vFFAAD4GCX+sEAABwKgKMt8CAFCqwBZKAAAAAKACchATUQAAAgQFtAQCCAoBOqobAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3845,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":2,"flow_src_last_pkt_time":1499347428671151,"flow_dst_last_pkt_time":1499347428671287,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347428671287,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3wITPWXXqsAWS6AScSAbpgAAAgQFtAQCCAoD5HuRATqqGwEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3846,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":3,"flow_src_last_pkt_time":1499347428672036,"flow_dst_last_pkt_time":1499347428671287,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347428672036,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0vFJAAD4GCYasEAABwKgKMt8CAFCqwBZLEz1l2IAQAOW6rQAAAQEICgE6qhsD5HuR"} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3853,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":265,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347419786749,"flow_src_last_pkt_time":1499347429693747,"flow_dst_last_pkt_time":1499347428675378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499347429693747,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56994,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":126,"flow_avg":589167.1,"flow_max":3818967,"flow_stddev":934261.4,"c_to_s_min":889,"c_to_s_avg":474510.4,"c_to_s_max":3818133,"c_to_s_stddev":853109.9,"s_to_c_min":126,"s_to_c_avg":808057.2,"s_to_c_max":3818967,"s_to_c_stddev":1037662.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.0,"s_to_c_max":1934,"s_to_c_stddev":703.3}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3853,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":265,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347419786749,"flow_src_last_pkt_time":1499347429693747,"flow_dst_last_pkt_time":1499347428675378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499347429693747,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56994,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":126,"flow_avg":606310.6,"flow_max":3818967,"flow_stddev":944243.6,"c_to_s_min":889,"c_to_s_avg":495349.9,"c_to_s_max":3818133,"c_to_s_stddev":868945.6,"s_to_c_min":126,"s_to_c_avg":808057.2,"s_to_c_max":3818967,"s_to_c_stddev":1037662.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.0,"s_to_c_max":1934,"s_to_c_stddev":703.3}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3862,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347431192783,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3862,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_packet_id":1,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192783,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347431192783,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8+sNAAD4GywysEAABwKgKMt8cAFA\/1VZRAAAAAKACchA7pAAAAgQFtAQCCAoBOqySAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3863,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_packet_id":2,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192884,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347431192884,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3xwMzQFkP9VWUqAScSCsZgAAAgQFtAQCCAoD5H4HATqskgEDAwc="} @@ -1706,7 +1706,7 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4384,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":1,"flow_src_last_pkt_time":1499347493167254,"flow_dst_last_pkt_time":1499347493167254,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347493167254,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8VdJAAD4Gb\/6sEAABwKgKMuGyAFCUXbzFAAAAAKACchBBjAAAAgQFtAQCCAoBOukXAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4385,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":2,"flow_src_last_pkt_time":1499347493167254,"flow_dst_last_pkt_time":1499347493167378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347493167378,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ4bJdzKzTlF28xqAScSB5WQAAAgQFtAQCCAoD5LqNATrpFwEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4386,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":3,"flow_src_last_pkt_time":1499347493168132,"flow_dst_last_pkt_time":1499347493167378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347493168132,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0VdNAAD4GcAWsEAABwKgKMuGyAFCUXbzGXcys1IAQAOUYYAAAAQEICgE66RgD5LqN"} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4387,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":304,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347484263170,"flow_src_last_pkt_time":1499347493168704,"flow_dst_last_pkt_time":1499347492935868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347493168704,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57684,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":126,"flow_avg":557037.9,"flow_max":3536204,"flow_stddev":865351.8,"c_to_s_min":910,"c_to_s_avg":435833.9,"c_to_s_max":3535287,"c_to_s_stddev":786543.6,"s_to_c_min":126,"s_to_c_avg":788427.1,"s_to_c_max":3536204,"s_to_c_stddev":956963.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.3,"s_to_c_max":1934,"s_to_c_stddev":699.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4387,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":304,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347484263170,"flow_src_last_pkt_time":1499347493168704,"flow_dst_last_pkt_time":1499347492935868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347493168704,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57684,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":126,"flow_avg":567039.8,"flow_max":3536204,"flow_stddev":877375.9,"c_to_s_min":910,"c_to_s_avg":445276.7,"c_to_s_max":3535287,"c_to_s_stddev":804804.9,"s_to_c_min":126,"s_to_c_avg":788427.1,"s_to_c_max":3536204,"s_to_c_stddev":956963.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.3,"s_to_c_max":1934,"s_to_c_stddev":699.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4393,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347494446547,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347494446547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57792,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4393,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_packet_id":1,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347494446547,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8G1FAAD4Gqn+sEAABwKgKMuHAAFAmKfEGAAAAAKACchB6MQAAAgQFtAQCCAoBOupXAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4394,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_packet_id":2,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347494446686,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ4cATAV39JinxB6AScSBKYAAAAgQFtAQCCAoD5LvNATrqVwEDAwc="} @@ -1944,7 +1944,7 @@ 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347428671151,"flow_src_last_pkt_time":1499347433734524,"flow_dst_last_pkt_time":1499347433733752,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57090,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347436733809,"flow_dst_last_pkt_time":1499347436733067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347436733809,"flow_dst_last_pkt_time":1499347436733067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":342,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347547687536,"flow_src_last_pkt_time":1499347557536513,"flow_dst_last_pkt_time":1499347556527820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16419,"midstream":0,"thread_ts_usec":1499347557536513,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58360,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":591398.7,"flow_max":3809547,"flow_stddev":928115.1,"c_to_s_min":686,"c_to_s_avg":480213.1,"c_to_s_max":3808906,"c_to_s_stddev":846500.5,"s_to_c_min":124,"s_to_c_avg":803662.2,"s_to_c_max":3809547,"s_to_c_stddev":1034042.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.4,"s_to_c_max":1935,"s_to_c_stddev":703.5}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":342,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347547687536,"flow_src_last_pkt_time":1499347557536513,"flow_dst_last_pkt_time":1499347556527820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16419,"midstream":0,"thread_ts_usec":1499347557536513,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58360,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":602879.4,"flow_max":3809547,"flow_stddev":940726.8,"c_to_s_min":686,"c_to_s_avg":492448.8,"c_to_s_max":3808906,"c_to_s_stddev":865590.7,"s_to_c_min":124,"s_to_c_avg":803662.2,"s_to_c_max":3809547,"s_to_c_stddev":1034042.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.4,"s_to_c_max":1935,"s_to_c_stddev":703.5}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4927,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347557789292,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789292,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347557789292,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58468,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4927,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_packet_id":1,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789292,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347557789292,"pkt":"ABm5CmnxAMGxFOsxCABFAAA82zBAAD4G6p+sEAABwKgKMuRkAFBn0PMDAAAAAKACchD2DAAAAgQFtAQCCAoBOygzAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4928,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_packet_id":2,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789349,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347557789349,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5GT+u1l1Z9DzBKAScSChLQAAAgQFtAQCCAoD5PmoATsoMwEDAwc="} @@ -2169,7 +2169,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5444,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":1,"flow_src_last_pkt_time":1499347618757865,"flow_dst_last_pkt_time":1499347618757865,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347618757865,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8UcRAAD4GdAysEAABwKgKMub0AFCevDJ5AAAAAKACchBBkQAAAgQFtAQCCAoBO2O9AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5445,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":2,"flow_src_last_pkt_time":1499347618757865,"flow_dst_last_pkt_time":1499347618757988,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347618757988,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5vRXo2m0nrwyeqAScSBIAQAAAgQFtAQCCAoD5TUyATtjvQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5446,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":3,"flow_src_last_pkt_time":1499347618758844,"flow_dst_last_pkt_time":1499347618757988,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347618758844,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0UcVAAD4GdBOsEAABwKgKMub0AFCevDJ6V6NptYAQAOXnBwAAAQEICgE7Y74D5TUy"} -01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5461,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":380,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347611162032,"flow_src_last_pkt_time":1499347621032822,"flow_dst_last_pkt_time":1499347621031071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347621032822,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59042,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":143,"flow_avg":625681.2,"flow_max":4822860,"flow_stddev":1155759.6,"c_to_s_min":1013,"c_to_s_avg":483464.8,"c_to_s_max":4821803,"c_to_s_stddev":1040561.9,"s_to_c_min":143,"s_to_c_avg":897185.4,"s_to_c_max":4822860,"s_to_c_stddev":1306321.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":269.0,"c_to_s_max":651,"c_to_s_stddev":242.7,"s_to_c_min":66,"s_to_c_avg":1550.6,"s_to_c_max":1935,"s_to_c_stddev":699.4}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5461,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":380,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347611162032,"flow_src_last_pkt_time":1499347621032822,"flow_dst_last_pkt_time":1499347621031071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347621032822,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59042,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":143,"flow_avg":636768.6,"flow_max":4822860,"flow_stddev":1172576.8,"c_to_s_min":1013,"c_to_s_avg":493539.5,"c_to_s_max":4821803,"c_to_s_stddev":1065258.6,"s_to_c_min":143,"s_to_c_avg":897185.4,"s_to_c_max":4822860,"s_to_c_stddev":1306321.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":269.0,"c_to_s_max":651,"c_to_s_stddev":242.7,"s_to_c_min":66,"s_to_c_avg":1550.6,"s_to_c_max":1935,"s_to_c_stddev":699.4}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5462,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347621256083,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347621256083,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59150,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5462,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_packet_id":1,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347621256083,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8Hc9AAD4GqAGsEAABwKgKMucOAFD+NnvhAAAAAKACchCWIwAAAgQFtAQCCAoBO2YuAAAAAAEDAwc="} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5463,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_packet_id":2,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256213,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347621256213,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5w6DP0I9\/jZ74qAScSCV\/QAAAgQFtAQCCAoD5TejATtmLgEDAwc="} @@ -2400,7 +2400,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6001,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":1,"flow_src_last_pkt_time":1499347684563427,"flow_dst_last_pkt_time":1499347684563427,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347684563427,"pkt":"ABm5CmnxAMGxFOsxCABFAAA82yNAAD4G6qysEAABwKgKMumyAFDf7X8iAAAAAKACchBwtAAAAgQFtAQCCAoBO6QBAAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6002,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":2,"flow_src_last_pkt_time":1499347684563427,"flow_dst_last_pkt_time":1499347684563554,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347684563554,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ6bLDIQ3O3+1\/I6AScSAnSAAAAgQFtAQCCAoD5XV2ATukAQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6003,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":3,"flow_src_last_pkt_time":1499347684564308,"flow_dst_last_pkt_time":1499347684563554,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347684564308,"pkt":"ABm5CmnxAMGxFOsxCABFAAA02yRAAD4G6rOsEAABwKgKMumyAFDf7X8jwyENz4AQAOXGTwAAAQEICgE7pAED5XV2"} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6010,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":419,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347675703973,"flow_src_last_pkt_time":1499347685575239,"flow_dst_last_pkt_time":1499347684567341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347685575239,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59732,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":122,"flow_avg":593065.3,"flow_max":3767000,"flow_stddev":920816.2,"c_to_s_min":677,"c_to_s_avg":481653.4,"c_to_s_max":3766369,"c_to_s_stddev":840522.6,"s_to_c_min":122,"s_to_c_avg":805760.8,"s_to_c_max":3767000,"s_to_c_stddev":1024186.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.3,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6010,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":419,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347675703973,"flow_src_last_pkt_time":1499347685575239,"flow_dst_last_pkt_time":1499347684567341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347685575239,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59732,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":122,"flow_avg":604343.1,"flow_max":3767000,"flow_stddev":933372.4,"c_to_s_min":677,"c_to_s_avg":493563.3,"c_to_s_max":3766369,"c_to_s_stddev":859548.3,"s_to_c_min":122,"s_to_c_avg":805760.8,"s_to_c_max":3767000,"s_to_c_stddev":1024186.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.3,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6022,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347687089585,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347687089585,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59852,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6022,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_packet_id":1,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347687089585,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8UahAAD4GdCisEAABwKgKMunMAFBn2\/fQAAAAAKACchBthwAAAgQFtAQCCAoBO6Z4AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6023,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_packet_id":2,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347687089686,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ6cx2j8kIZ9v30aAScSCy+wAAAgQFtAQCCAoD5XftATumeAEDAwc="} @@ -2645,7 +2645,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6545,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":1,"flow_src_last_pkt_time":1499347752308453,"flow_dst_last_pkt_time":1499347752308453,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347752308453,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8qStAAD4GHKWsEAABwKgKMuyOAFBMoE8CAAAAAKACchDvHQAAAgQFtAQCCAoBO+YpAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6546,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":2,"flow_src_last_pkt_time":1499347752308453,"flow_dst_last_pkt_time":1499347752308578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347752308578,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ7I5f6lZGTKBPA6AScSB+SAAAAgQFtAQCCAoD5beeATvmKQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6547,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":3,"flow_src_last_pkt_time":1499347752309233,"flow_dst_last_pkt_time":1499347752308578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347752309233,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0qSxAAD4GHKysEAABwKgKMuyOAFBMoE8DX+pWR4AQAOUdTwAAAQEICgE75ioD5bee"} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6548,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":458,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347743331813,"flow_src_last_pkt_time":1499347752309607,"flow_dst_last_pkt_time":1499347752053014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347752309607,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60464,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":130,"flow_avg":561566.2,"flow_max":3582115,"flow_stddev":874421.1,"c_to_s_min":887,"c_to_s_avg":440424.7,"c_to_s_max":3581223,"c_to_s_stddev":794204.8,"s_to_c_min":130,"s_to_c_avg":792836.4,"s_to_c_max":3582115,"s_to_c_stddev":968836.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.3,"s_to_c_max":1934,"s_to_c_stddev":699.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6548,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":458,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347743331813,"flow_src_last_pkt_time":1499347752309607,"flow_dst_last_pkt_time":1499347752053014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347752309607,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60464,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":130,"flow_avg":570935.4,"flow_max":3582115,"flow_stddev":886830.3,"c_to_s_min":887,"c_to_s_avg":448889.7,"c_to_s_max":3581223,"c_to_s_stddev":812892.6,"s_to_c_min":130,"s_to_c_avg":792836.4,"s_to_c_max":3582115,"s_to_c_stddev":968836.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.3,"s_to_c_max":1934,"s_to_c_stddev":699.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6557,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347753649698,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347753649698,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60572,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6557,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_packet_id":1,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649698,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347753649698,"pkt":"ABm5CmnxAMGxFOsxCABFAAA825ZAAD4G6jmsEAABwKgKMuycAFCJVjzvAAAAAKACchDDHAAAAgQFtAQCCAoBO+d5AAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6558,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_packet_id":2,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649826,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347753649826,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ7Jyb\/4pAiVY88KAScSDg6AAAAgQFtAQCCAoD5bjtATvneQEDAwc="} @@ -2868,7 +2868,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7073,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":1,"flow_src_last_pkt_time":1499347816657942,"flow_dst_last_pkt_time":1499347816657942,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347816657942,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8lQ1AAD4GMMOsEAABwKgKMoDqAFAyzLAMAAAAAKACchDUswAAAgQFtAQCCAoBPCUBAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7074,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":2,"flow_src_last_pkt_time":1499347816657942,"flow_dst_last_pkt_time":1499347816658067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347816658067,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQgOp6zxHVMsywDaAScSBOkwAAAgQFtAQCCAoD5fZ1ATwlAQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7075,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":3,"flow_src_last_pkt_time":1499347816658755,"flow_dst_last_pkt_time":1499347816658067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347816658755,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0lQ5AAD4GMMqsEAABwKgKMoDqAFAyzLANes8R1oAQAOXtmgAAAQEICgE8JQED5fZ1"} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7082,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":495,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347807664615,"flow_src_last_pkt_time":1499347817702402,"flow_dst_last_pkt_time":1499347816662711,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347817702402,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32906,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":158,"flow_avg":603066.8,"flow_max":3861987,"flow_stddev":939944.8,"c_to_s_min":871,"c_to_s_avg":490478.1,"c_to_s_max":3861200,"c_to_s_stddev":857874.7,"s_to_c_min":158,"s_to_c_avg":818008.8,"s_to_c_max":3861987,"s_to_c_stddev":1046315.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.2,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7082,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":495,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347807664615,"flow_src_last_pkt_time":1499347817702402,"flow_dst_last_pkt_time":1499347816662711,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347817702402,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32906,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":158,"flow_avg":614060.8,"flow_max":3861987,"flow_stddev":952957.6,"c_to_s_min":871,"c_to_s_avg":501889.3,"c_to_s_max":3861200,"c_to_s_stddev":877503.2,"s_to_c_min":158,"s_to_c_avg":818008.8,"s_to_c_max":3861987,"s_to_c_stddev":1046315.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.2,"s_to_c_max":1935,"s_to_c_stddev":703.4}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347819250899,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819250899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347819250899,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33028,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_packet_id":1,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819250899,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347819250899,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8LORAAD4GmOysEAABwKgKMoEEAFDtQwttAAAAAKACchC8OQAAAgQFtAQCCAoBPCeJAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7095,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_packet_id":2,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819251024,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347819251024,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQgQQkyBmr7UMLbqAScSCBwQAAAgQFtAQCCAoD5fj+ATwniQEDAwc="} @@ -3089,7 +3089,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7597,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":1,"flow_src_last_pkt_time":1499347881141710,"flow_dst_last_pkt_time":1499347881141710,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347881141710,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80HhAAD4G9VesEAABwKgKMoOKAFDzHbOCAAAAAKACchDPUgAAAgQFtAQCCAoBPGP6AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7598,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":2,"flow_src_last_pkt_time":1499347881141710,"flow_dst_last_pkt_time":1499347881141852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347881141852,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQg4pPHZMl8x2zg6AScSC0mgAAAgQFtAQCCAoD5jVuATxj+gEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7599,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":3,"flow_src_last_pkt_time":1499347881142632,"flow_dst_last_pkt_time":1499347881141852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347881142632,"pkt":"ABm5CmnxAMGxFOsxCABFAAA00HlAAD4G9V6sEAABwKgKMoOKAFDzHbODTx2TJoAQAOVTogAAAQEICgE8Y\/oD5jVu"} -01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7606,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":532,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347872187685,"flow_src_last_pkt_time":1499347882404199,"flow_dst_last_pkt_time":1499347882158637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499347882404199,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33580,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":126,"flow_avg":639321.0,"flow_max":4840595,"flow_stddev":1154893.0,"c_to_s_min":862,"c_to_s_avg":499396.2,"c_to_s_max":4839753,"c_to_s_stddev":1039351.5,"s_to_c_min":126,"s_to_c_avg":906450.2,"s_to_c_max":4840595,"s_to_c_stddev":1307305.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.5,"s_to_c_max":1935,"s_to_c_stddev":699.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7606,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":532,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347872187685,"flow_src_last_pkt_time":1499347882404199,"flow_dst_last_pkt_time":1499347882158637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499347882404199,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33580,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":126,"flow_avg":651208.6,"flow_max":4840595,"flow_stddev":1171443.9,"c_to_s_min":862,"c_to_s_avg":510825.7,"c_to_s_max":4839753,"c_to_s_stddev":1063729.8,"s_to_c_min":126,"s_to_c_avg":906450.2,"s_to_c_max":4840595,"s_to_c_stddev":1307305.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.5,"s_to_c_max":1935,"s_to_c_stddev":699.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7607,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347882404247,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347882404247,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33688,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7607,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_packet_id":1,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404247,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347882404247,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8eWdAAD4GTGmsEAABwKgKMoOYAFA4phxRAAAAAKACchAfsgAAAgQFtAQCCAoBPGU2AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7608,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_packet_id":2,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404320,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347882404320,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQg5hCgWTIOKYcUqAScSA+twAAAgQFtAQCCAoD5jaqATxlNgEDAwc="} @@ -3304,7 +3304,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8117,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":1,"flow_src_last_pkt_time":1499347945720318,"flow_dst_last_pkt_time":1499347945720318,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347945720318,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8sjdAAD4GE5msEAABwKgKMoYqAFDdpBE8AAAAAKACchBFYQAAAgQFtAQCCAoBPKMLAAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8118,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":2,"flow_src_last_pkt_time":1499347945720318,"flow_dst_last_pkt_time":1499347945720417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347945720417,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQhiqh1kGM3aQRPaAScSDqdwAAAgQFtAQCCAoD5nR\/ATyjCwEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8119,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":3,"flow_src_last_pkt_time":1499347945721181,"flow_dst_last_pkt_time":1499347945720417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347945721181,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0sjhAAD4GE6CsEAABwKgKMoYqAFDdpBE9odZBjYAQAOWJfwAAAQEICgE8owsD5nR\/"} -01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":569,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347939286105,"flow_src_last_pkt_time":1499347947010010,"flow_dst_last_pkt_time":1499347947009327,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4457,"flow_dst_tot_l4_payload_len":16413,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34278,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":171,"flow_avg":491044.6,"flow_max":2588369,"flow_stddev":679099.7,"c_to_s_min":495,"c_to_s_avg":380485.9,"c_to_s_max":2587661,"c_to_s_stddev":625231.7,"s_to_c_min":171,"s_to_c_avg":702111.1,"s_to_c_max":2588369,"s_to_c_stddev":726242.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":278.6,"c_to_s_max":651,"c_to_s_stddev":253.4,"s_to_c_min":66,"s_to_c_avg":1558.8,"s_to_c_max":1934,"s_to_c_stddev":703.2}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":569,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347939286105,"flow_src_last_pkt_time":1499347947010010,"flow_dst_last_pkt_time":1499347947009327,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4457,"flow_dst_tot_l4_payload_len":16413,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34278,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":171,"flow_avg":498294.4,"flow_max":2588369,"flow_stddev":688746.1,"c_to_s_min":495,"c_to_s_avg":386195.2,"c_to_s_max":2587661,"c_to_s_stddev":640137.4,"s_to_c_min":171,"s_to_c_avg":702111.1,"s_to_c_max":2588369,"s_to_c_stddev":726242.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":278.6,"c_to_s_max":651,"c_to_s_stddev":253.4,"s_to_c_min":66,"s_to_c_avg":1558.8,"s_to_c_max":1934,"s_to_c_stddev":703.2}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":498,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347812797349,"flow_src_last_pkt_time":1499347817844555,"flow_dst_last_pkt_time":1499347817843831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32960,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":498,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347812797349,"flow_src_last_pkt_time":1499347817844555,"flow_dst_last_pkt_time":1499347817843831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32960,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":499,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347814066618,"flow_src_last_pkt_time":1499347819845842,"flow_dst_last_pkt_time":1499347819845138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32974,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} @@ -3545,7 +3545,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8666,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":1,"flow_src_last_pkt_time":1499348012728762,"flow_dst_last_pkt_time":1499348012728762,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348012728762,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8MbdAAD4GlBmsEAABwKgKMojoAFBoxNXMAAAAAKACchCxggAAAgQFtAQCCAoBPOR7AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8667,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":2,"flow_src_last_pkt_time":1499348012728762,"flow_dst_last_pkt_time":1499348012728872,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348012728872,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQiOhwV55UaMTVzaAScSDp3wAAAgQFtAQCCAoD5rXvATzkewEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":3,"flow_src_last_pkt_time":1499348012729471,"flow_dst_last_pkt_time":1499348012728872,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499348012729471,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0MbhAAD4GlCCsEAABwKgKMojoAFBoxNXNcFeeVYAQAOWI5wAAAQEICgE85HsD5rXv"} -01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":606,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348002450018,"flow_src_last_pkt_time":1499348012729966,"flow_dst_last_pkt_time":1499348012487215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499348012729966,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34940,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":168,"flow_avg":643282.2,"flow_max":4897215,"flow_stddev":1169922.5,"c_to_s_min":874,"c_to_s_avg":502277.8,"c_to_s_max":4896388,"c_to_s_stddev":1052523.8,"s_to_c_min":168,"s_to_c_avg":912472.4,"s_to_c_max":4897215,"s_to_c_stddev":1325294.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.5,"s_to_c_max":1934,"s_to_c_stddev":699.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":606,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348002450018,"flow_src_last_pkt_time":1499348012729966,"flow_dst_last_pkt_time":1499348012487215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499348012729966,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34940,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":168,"flow_avg":655391.8,"flow_max":4897215,"flow_stddev":1186666.9,"c_to_s_min":874,"c_to_s_avg":513997.4,"c_to_s_max":4896388,"c_to_s_stddev":1077177.9,"s_to_c_min":168,"s_to_c_avg":912472.4,"s_to_c_max":4897215,"s_to_c_stddev":1325294.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1550.5,"s_to_c_max":1934,"s_to_c_stddev":699.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8684,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499348015250467,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250467,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499348015250467,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35074,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8684,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_packet_id":1,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250467,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348015250467,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8SaJAAD4GfC6sEAABwKgKMokCAFA1NK9QAAAAAKACchAI\/gAAAgQFtAQCCAoBPObyAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8685,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_packet_id":2,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250592,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348015250592,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQiQJJKiEWNTSvUaAScSDjTwAAAgQFtAQCCAoD5rhmATzm8gEDAwc="} @@ -3762,7 +3762,7 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9192,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":1,"flow_src_last_pkt_time":1499348077218866,"flow_dst_last_pkt_time":1499348077218866,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348077218866,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80HtAAD4G9VSsEAABwKgKMouKAFBc0\/MNAAAAAKACchBelQAAAgQFtAQCCAoBPSN2AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9193,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":2,"flow_src_last_pkt_time":1499348077218866,"flow_dst_last_pkt_time":1499348077218968,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348077218968,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQi4oOSV5eXNPzDqAScSD5+wAAAgQFtAQCCAoD5vTqAT0jdgEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9195,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":3,"flow_src_last_pkt_time":1499348077219749,"flow_dst_last_pkt_time":1499348077218968,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499348077219749,"pkt":"ABm5CmnxAMGxFOsxCABFAAA00HxAAD4G9VusEAABwKgKMouKAFBc0\/MODkleX4AQAOWZAwAAAQEICgE9I3YD5vTq"} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9201,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":643,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348068136241,"flow_src_last_pkt_time":1499348078263151,"flow_dst_last_pkt_time":1499348077222575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499348078263151,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35626,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":608281.0,"flow_max":3953842,"flow_stddev":959298.9,"c_to_s_min":706,"c_to_s_avg":494221.8,"c_to_s_max":3953188,"c_to_s_stddev":874642.6,"s_to_c_min":124,"s_to_c_avg":826030.4,"s_to_c_max":3953842,"s_to_c_stddev":1069765.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.0,"s_to_c_max":1934,"s_to_c_stddev":703.3}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9201,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":643,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348068136241,"flow_src_last_pkt_time":1499348078263151,"flow_dst_last_pkt_time":1499348077222575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499348078263151,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35626,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":619782.1,"flow_max":3953842,"flow_stddev":972474.7,"c_to_s_min":706,"c_to_s_avg":506345.5,"c_to_s_max":3953188,"c_to_s_stddev":894518.3,"s_to_c_min":124,"s_to_c_avg":826030.4,"s_to_c_max":3953842,"s_to_c_stddev":1069765.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":296.9,"c_to_s_max":651,"c_to_s_stddev":251.2,"s_to_c_min":66,"s_to_c_avg":1559.0,"s_to_c_max":1934,"s_to_c_stddev":703.3}},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9204,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499348078531918,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078531918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499348078531918,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35736,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9204,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_packet_id":1,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078531918,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348078531918,"pkt":"ABm5CmnxAMGxFOsxCABFAAA86yNAAD4G2qysEAABwKgKMouYAFAizM+dAAAAAKACchC6tgAAAgQFtAQCCAoBPSS+AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9205,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_packet_id":2,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078532057,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348078532057,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQi5glYndPIszPnqAScSAkywAAAgQFtAQCCAoD5vYyAT0kvgEDAwc="} diff --git a/test/results/aimini-http.pcap.out b/test/results/aimini-http.pcap.out index 8661be624..fa22ba26d 100644 --- a/test/results/aimini-http.pcap.out +++ b/test/results/aimini-http.pcap.out @@ -10,7 +10,7 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1614860229386298,"flow_dst_last_pkt_time":1614860229385965,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229386298,"pkt":"ApXG95WRWgXZu6TVCABFAAAwBP8AAH8GIfsKZQACCmYAAm9WAFCbu7tlAAAAAHACgAEoiAAAAgQFtAMDAQA="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1614860229386298,"flow_dst_last_pkt_time":1614860229386303,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229386303,"pkt":"WgXZu6TVApXG95WRCABFAAAwBQ0AAIAGAAAKZgACCmUAAgBQb1abu8Cxm7u7ZnASgAEU8QAAAgQFtAMDAQA="} 01204{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1614860229385965,"flow_src_last_pkt_time":1614860229386487,"flow_dst_last_pkt_time":1614860229386479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":524,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":524,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614860229386487,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28502,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download","hostname":"www.aimini.com","http": {"url":"www.aimini.com\/webcounter\/w.php?___hm=.net_SignUp_&_lh_=http:\/\/www.aimini.net\/member\/signup\/&__Refer_=http:\/\/www.aimini.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko\/20110420 Firefox\/3.6.17","detected_os":"Windows"}}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614860229383219,"flow_src_last_pkt_time":1614860229387313,"flow_dst_last_pkt_time":1614860229385946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4110,"flow_dst_tot_l4_payload_len":20912,"midstream":0,"thread_ts_usec":1614860229387313,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28501,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":127053168.0,"flow_max":4065694499,"flow_stddev":707400896.0,"c_to_s_min":1,"c_to_s_avg":290407040.0,"c_to_s_max":4065694499,"c_to_s_stddev":1047076352.0,"s_to_c_min":1,"s_to_c_avg":151.5,"s_to_c_max":1116,"s_to_c_stddev":320.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":352.1,"c_to_s_max":1514,"c_to_s_stddev":516.0,"s_to_c_min":62,"s_to_c_avg":1216.7,"s_to_c_max":1514,"s_to_c_stddev":558.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download"}} +01321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614860229383219,"flow_src_last_pkt_time":1614860229387313,"flow_dst_last_pkt_time":1614860229385946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4110,"flow_dst_tot_l4_payload_len":20912,"midstream":0,"thread_ts_usec":1614860229387313,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28501,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":220.0,"flow_max":1148,"flow_stddev":358.7,"c_to_s_min":1,"c_to_s_avg":314.9,"c_to_s_max":1148,"c_to_s_stddev":386.5,"s_to_c_min":1,"s_to_c_avg":151.5,"s_to_c_max":1116,"s_to_c_stddev":320.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":352.1,"c_to_s_max":1514,"c_to_s_stddev":516.0,"s_to_c_min":62,"s_to_c_avg":1216.7,"s_to_c_max":1514,"s_to_c_stddev":558.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1614860229388780,"flow_src_last_pkt_time":1614860229388780,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614860229388780,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28503,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1614860229388780,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229388780,"pkt":"5kBKB+riApXG95NLCABFAAAwBREAAIAGAAAKZQACCmYAAm9XAFCbu+drAAAAAHACgAEU8QAAAgQFtAMDAQA="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1614860229389055,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229389055,"pkt":"ApXG95WRWgXZu6TVCABFAAAwBREAAH8GIekKZQACCmYAAm9XAFCbu+drAAAAAHACgAH8gAAAAgQFtAMDAQA="} @@ -39,5 +39,5 @@ ~~ total allocations/frees...: 121623/121623 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 482 chars -~~ json string max len.......: 1363 chars -~~ json string avg len.......: 921 chars +~~ json string max len.......: 1326 chars +~~ json string avg len.......: 903 chars diff --git a/test/results/alexa-app.pcapng.out b/test/results/alexa-app.pcapng.out index 8be289681..788592cc8 100644 --- a/test/results/alexa-app.pcapng.out +++ b/test/results/alexa-app.pcapng.out @@ -200,7 +200,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1490976042101270,"flow_dst_last_pkt_time":1490976042099362,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976042101270,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0AfRAAEAGW7qsECrYNFXR2NSNAbumNE9Ps3pFE4AQAVdxMgAAAQEICgD2TsJtF6Xz"} 01118{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":282,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042149888,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1490976042149888,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01715{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":284,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042150550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1490976042150550,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} -01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":47,"flow_avg":25670.5,"flow_max":135477,"flow_stddev":36374.0,"c_to_s_min":233,"c_to_s_avg":34287.0,"c_to_s_max":135477,"c_to_s_stddev":43007.6,"s_to_c_min":47,"s_to_c_avg":18968.8,"s_to_c_max":75313,"s_to_c_stddev":28475.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.6,"c_to_s_max":1096,"c_to_s_stddev":265.2,"s_to_c_min":66,"s_to_c_avg":929.4,"s_to_c_max":1514,"s_to_c_stddev":640.4}}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":47,"flow_avg":22128.4,"flow_max":90510,"flow_stddev":31052.4,"c_to_s_min":233,"c_to_s_avg":26503.2,"c_to_s_max":90510,"c_to_s_stddev":33818.6,"s_to_c_min":47,"s_to_c_avg":18968.8,"s_to_c_max":75313,"s_to_c_stddev":28475.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.6,"c_to_s_max":1096,"c_to_s_stddev":265.2,"s_to_c_min":66,"s_to_c_avg":929.4,"s_to_c_max":1514,"s_to_c_stddev":640.4}}} 01720{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 01149{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":317,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302047,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976042302047,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01622{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":319,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302667,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976042302667,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}} @@ -211,7 +211,7 @@ 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976043611721,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043611721,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976043611721,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00193{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":392,"source":"alexa-app.pcapng","alias":"nDPId-test","layer_type":35085,"global_ts_usec":1490976043617123} 00360{"packet_event_id":1,"packet_event_name":"packet","packet_id":392,"source":"alexa-app.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":35085,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1490976043612089,"pkt":"AMDKkaPvePiC0\/vCiQ0CDAoBZRIAwMqRdPh4+ILT+8IAwMqRo+\/dFACgxgAAAAAAAAAAAAAAAAAAAAAA"} -01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":394,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976041156517,"flow_src_last_pkt_time":1490976043655892,"flow_dst_last_pkt_time":1490976043654956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4861,"flow_dst_tot_l4_payload_len":5515,"midstream":0,"thread_ts_usec":1490976043655892,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":70,"flow_avg":156370.8,"flow_max":1015894,"flow_stddev":282870.2,"c_to_s_min":271,"c_to_s_avg":139190.3,"c_to_s_max":1015894,"c_to_s_stddev":248177.3,"s_to_c_min":70,"s_to_c_avg":178459.9,"s_to_c_max":966451,"s_to_c_stddev":320679.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":325.2,"c_to_s_max":1168,"c_to_s_stddev":441.6,"s_to_c_min":60,"s_to_c_avg":451.1,"s_to_c_max":1514,"s_to_c_stddev":527.5}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":394,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976041156517,"flow_src_last_pkt_time":1490976043655892,"flow_dst_last_pkt_time":1490976043654956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4861,"flow_dst_tot_l4_payload_len":5515,"midstream":0,"thread_ts_usec":1490976043655892,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":70,"flow_avg":161219.8,"flow_max":1015894,"flow_stddev":286084.3,"c_to_s_min":271,"c_to_s_avg":147022.1,"c_to_s_max":1015894,"c_to_s_stddev":253201.5,"s_to_c_min":70,"s_to_c_avg":178459.9,"s_to_c_max":966451,"s_to_c_stddev":320679.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":325.2,"c_to_s_max":1168,"c_to_s_stddev":441.6,"s_to_c_min":60,"s_to_c_avg":451.1,"s_to_c_max":1514,"s_to_c_stddev":527.5}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":397,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043811357,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976043811357,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP0pFAAEARuxKsECoBrBAq2AA1qVYAO\/ZCveGBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAAbAARIFc6H"} 01021{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":397,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976043611721,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043811357,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976043811357,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.135"}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":398,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976043814090,"flow_src_last_pkt_time":1490976043814090,"flow_dst_last_pkt_time":1490976043814090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976043814090,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -271,7 +271,7 @@ 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":495,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976044509891,"flow_src_last_pkt_time":1490976044595782,"flow_dst_last_pkt_time":1490976044687978,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976044687978,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45678,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":4,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976044649888,"flow_dst_last_pkt_time":1490976044708534,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":615,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976044708534,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01609{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":513,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976044649888,"flow_dst_last_pkt_time":1490976044708747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":615,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976044708747,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}} -01210{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":38,"flow_avg":167913.5,"flow_max":835939,"flow_stddev":240273.5,"c_to_s_min":133,"c_to_s_avg":154962.2,"c_to_s_max":783828,"c_to_s_stddev":201670.1,"s_to_c_min":38,"s_to_c_avg":184565.1,"s_to_c_max":835939,"s_to_c_stddev":281377.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":346.5,"c_to_s_max":1514,"c_to_s_stddev":493.6,"s_to_c_min":60,"s_to_c_avg":471.0,"s_to_c_max":1514,"s_to_c_stddev":575.6}}} +01210{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":38,"flow_avg":166773.2,"flow_max":835939,"flow_stddev":244032.9,"c_to_s_min":133,"c_to_s_avg":152121.0,"c_to_s_max":783828,"c_to_s_stddev":207166.5,"s_to_c_min":38,"s_to_c_avg":184565.1,"s_to_c_max":835939,"s_to_c_stddev":281377.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":346.5,"c_to_s_max":1514,"c_to_s_stddev":493.6,"s_to_c_min":60,"s_to_c_avg":471.0,"s_to_c_max":1514,"s_to_c_stddev":575.6}}} 01613{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976046418630,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976046418630,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45680,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976046418630,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8dehAAEAG0QasECrYNF7ohrJwAbub2CWZAAAAAKAC\/\/+NLQAAAgQFtAQCCAoA9lBxAAAAAAEDAwg="} @@ -309,7 +309,7 @@ 01061{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976047563011,"flow_src_last_pkt_time":1490976047631468,"flow_dst_last_pkt_time":1490976047629213,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":237,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":237,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976047631468,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42143,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976047560420,"flow_src_last_pkt_time":1490976047610667,"flow_dst_last_pkt_time":1490976047664674,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1490976047664674,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54427,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","ja3":"5ee142340adf02ded757447e2ff78986","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":704,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490976047563011,"flow_src_last_pkt_time":1490976047631468,"flow_dst_last_pkt_time":1490976047695425,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":237,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":237,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1490976047695425,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42143,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} -01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":711,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976047050685,"flow_src_last_pkt_time":1490976047738970,"flow_dst_last_pkt_time":1490976047737869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":510,"flow_src_tot_l4_payload_len":18550,"flow_dst_tot_l4_payload_len":666,"midstream":0,"thread_ts_usec":1490976047738970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":114,"flow_avg":43904.2,"flow_max":352057,"flow_stddev":77638.2,"c_to_s_min":114,"c_to_s_avg":37776.4,"c_to_s_max":352057,"c_to_s_stddev":78556.5,"s_to_c_min":128,"s_to_c_avg":52860.3,"s_to_c_max":295338,"s_to_c_stddev":75385.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":1031.4,"c_to_s_max":1514,"c_to_s_stddev":643.7,"s_to_c_min":60,"s_to_c_avg":110.5,"s_to_c_max":564,"s_to_c_stddev":136.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":711,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976047050685,"flow_src_last_pkt_time":1490976047738970,"flow_dst_last_pkt_time":1490976047737869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":510,"flow_src_tot_l4_payload_len":18550,"flow_dst_tot_l4_payload_len":666,"midstream":0,"thread_ts_usec":1490976047738970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":114,"flow_avg":44370.0,"flow_max":352057,"flow_stddev":78836.5,"c_to_s_min":114,"c_to_s_avg":38238.1,"c_to_s_max":352057,"c_to_s_stddev":80684.0,"s_to_c_min":128,"s_to_c_avg":52860.3,"s_to_c_max":295338,"s_to_c_stddev":75385.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":1031.4,"c_to_s_max":1514,"c_to_s_stddev":643.7,"s_to_c_min":60,"s_to_c_avg":110.5,"s_to_c_max":564,"s_to_c_stddev":136.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":719,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976047858519,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047858519,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976047858519,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42144,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":719,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047858519,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976047858519,"pkt":"AMDKkaPvePiC0\/vCCABFAAA84nJAAEAGasSsECrYSBXOh6SgAbtFc7NzAAAAAKAC\/\/9pQAAAAgQFtAQCCAoA9lEBAAAAAAEDAwg="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":721,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":2,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047907178,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976047907178,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwsPFAAOcG9VBIFc6HrBAq2AG7pKCmhnFJRXOzdHASH\/6\/cgAAAgQFtAEDAwY="} @@ -368,8 +368,8 @@ 01172{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":903,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068061060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976068066460,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":907,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174408,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976068174408,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01667{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":909,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":3330,"midstream":0,"thread_ts_usec":1490976068174770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}} -01364{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":123,"flow_avg":233553.8,"flow_max":2896813,"flow_stddev":551677.5,"c_to_s_min":123,"c_to_s_avg":220661.9,"c_to_s_max":2896813,"c_to_s_stddev":682840.1,"s_to_c_min":133,"s_to_c_avg":248164.6,"s_to_c_max":1116565,"s_to_c_stddev":347036.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":531.8,"c_to_s_max":1514,"c_to_s_stddev":642.5,"s_to_c_min":66,"s_to_c_avg":713.9,"s_to_c_max":1514,"s_to_c_stddev":677.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01209{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":41,"flow_avg":100596.5,"flow_max":486056,"flow_stddev":136415.3,"c_to_s_min":157,"c_to_s_avg":79432.4,"c_to_s_max":293069,"c_to_s_stddev":87578.6,"s_to_c_min":41,"s_to_c_avg":111682.4,"s_to_c_max":486056,"s_to_c_stddev":154860.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":397.6,"c_to_s_max":1514,"c_to_s_stddev":545.4,"s_to_c_min":60,"s_to_c_avg":858.8,"s_to_c_max":1514,"s_to_c_stddev":692.6}}} +01364{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":123,"flow_avg":237241.0,"flow_max":2896813,"flow_stddev":560116.6,"c_to_s_min":123,"c_to_s_avg":227000.2,"c_to_s_max":2896813,"c_to_s_stddev":703370.1,"s_to_c_min":133,"s_to_c_avg":248164.6,"s_to_c_max":1116565,"s_to_c_stddev":347036.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":531.8,"c_to_s_max":1514,"c_to_s_stddev":642.5,"s_to_c_min":66,"s_to_c_avg":713.9,"s_to_c_max":1514,"s_to_c_stddev":677.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01209{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":41,"flow_avg":102165.5,"flow_max":486056,"flow_stddev":138313.6,"c_to_s_min":157,"c_to_s_avg":82179.9,"c_to_s_max":293069,"c_to_s_stddev":91400.1,"s_to_c_min":41,"s_to_c_avg":111682.4,"s_to_c_max":486056,"s_to_c_stddev":154860.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":397.6,"c_to_s_max":1514,"c_to_s_stddev":545.4,"s_to_c_min":60,"s_to_c_avg":858.8,"s_to_c_max":1514,"s_to_c_stddev":692.6}}} 01672{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976071237623,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976071237623,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packet_id":1,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976071237623,"pkt":"AMDKkaPvePiC0\/vCCABFAAA870hAAEAGV6asECrYNF7ohsHGAFAgR7VrAAAAAKAC\/\/9hTwAAAgQFtAQCCAoA9lojAAAAAAEDAwg="} @@ -521,7 +521,7 @@ 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1324,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":91,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976089227335,"flow_src_last_pkt_time":1490976090192268,"flow_dst_last_pkt_time":1490976090038424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090192268,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45714,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1325,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976090192765,"flow_dst_last_pkt_time":1490976090038470,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090192765,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01327{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1327,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":93,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976089426961,"flow_src_last_pkt_time":1490976090196942,"flow_dst_last_pkt_time":1490976090038290,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":996,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":996,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090196942,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49630,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAlexa","proto_id":"7.110","encrypted":0,"breed":"Acceptable","category_id":32,"category":"VirtAssistant","hostname":"alexa.amazon.com","http": {"url":"alexa.amazon.com\/lib\/bootstrap\/img\/glyphicons-halflings.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1328,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976085644885,"flow_src_last_pkt_time":1490976090198099,"flow_dst_last_pkt_time":1490976090039279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":8230,"flow_dst_tot_l4_payload_len":2302,"midstream":0,"thread_ts_usec":1490976090198099,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":65,"flow_avg":305977.2,"flow_max":1569527,"flow_stddev":421620.9,"c_to_s_min":240,"c_to_s_avg":284046.2,"c_to_s_max":1569527,"c_to_s_stddev":421032.7,"s_to_c_min":65,"s_to_c_avg":338030.3,"s_to_c_max":1485936,"s_to_c_stddev":420426.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":488.2,"c_to_s_max":1514,"c_to_s_stddev":617.3,"s_to_c_min":60,"s_to_c_avg":234.5,"s_to_c_max":731,"s_to_c_stddev":245.4}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1328,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976085644885,"flow_src_last_pkt_time":1490976090198099,"flow_dst_last_pkt_time":1490976090039279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":8230,"flow_dst_tot_l4_payload_len":2302,"midstream":0,"thread_ts_usec":1490976090198099,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":65,"flow_avg":288632.5,"flow_max":1569527,"flow_stddev":416979.2,"c_to_s_min":240,"c_to_s_avg":252956.3,"c_to_s_max":1569527,"c_to_s_stddev":410794.0,"s_to_c_min":65,"s_to_c_avg":338030.3,"s_to_c_max":1485936,"s_to_c_stddev":420426.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":488.2,"c_to_s_max":1514,"c_to_s_stddev":617.3,"s_to_c_min":60,"s_to_c_avg":234.5,"s_to_c_max":731,"s_to_c_stddev":245.4}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1343,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":92,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1490976089239508,"flow_src_last_pkt_time":1490976090191085,"flow_dst_last_pkt_time":1490976090313083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313083,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45715,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1345,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976090210793,"flow_dst_last_pkt_time":1490976090313160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313160,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1346,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":91,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1490976089227335,"flow_src_last_pkt_time":1490976090192268,"flow_dst_last_pkt_time":1490976090313192,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313192,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45714,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} @@ -545,10 +545,10 @@ 01077{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091160874,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976091163513,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1449,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":2,"flow_src_last_pkt_time":1490976091048429,"flow_dst_last_pkt_time":1490976091217295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976091217295,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA0Sq8AACcG8u0250hYrBAq2AG7o117lZ8zZBSwSYAS\/\/89vAAAAgQFmAMDCAEEAgEB"} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":3,"flow_src_last_pkt_time":1490976091219669,"flow_dst_last_pkt_time":1490976091217295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976091219669,"pkt":"AMDKkaPvePiC0\/vCCABFAAAo0alAAEAGEv+sECrYNudIWKNdAbtkFLBJe5WfNFAQAVeEFQAA"} -01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1452,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976088631582,"flow_src_last_pkt_time":1490976090996390,"flow_dst_last_pkt_time":1490976091223863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1093,"flow_src_tot_l4_payload_len":7259,"flow_dst_tot_l4_payload_len":2355,"midstream":0,"thread_ts_usec":1490976091223863,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":156076.3,"flow_max":1191626,"flow_stddev":278419.0,"c_to_s_min":125,"c_to_s_avg":150135.0,"c_to_s_max":1161828,"c_to_s_stddev":276260.8,"s_to_c_min":30,"s_to_c_avg":162017.6,"s_to_c_max":1191626,"s_to_c_stddev":280434.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":508.9,"c_to_s_max":1514,"c_to_s_stddev":586.1,"s_to_c_min":60,"s_to_c_avg":205.1,"s_to_c_max":1147,"s_to_c_stddev":290.0}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1452,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976088631582,"flow_src_last_pkt_time":1490976090996390,"flow_dst_last_pkt_time":1490976091223863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1093,"flow_src_tot_l4_payload_len":7259,"flow_dst_tot_l4_payload_len":2355,"midstream":0,"thread_ts_usec":1490976091223863,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":159906.1,"flow_max":1191626,"flow_stddev":282043.2,"c_to_s_min":125,"c_to_s_avg":157653.9,"c_to_s_max":1161828,"c_to_s_stddev":283731.3,"s_to_c_min":30,"s_to_c_avg":162017.6,"s_to_c_max":1191626,"s_to_c_stddev":280434.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":508.9,"c_to_s_max":1514,"c_to_s_stddev":586.1,"s_to_c_min":60,"s_to_c_avg":205.1,"s_to_c_max":1147,"s_to_c_stddev":290.0}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01133{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1454,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091345211,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1490976091345211,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01668{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1456,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091346214,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":1432,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1490976091346214,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1486,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976092170541,"flow_dst_last_pkt_time":1490976092236982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":8342,"flow_dst_tot_l4_payload_len":1817,"midstream":0,"thread_ts_usec":1490976092236982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":69,"flow_avg":267787.9,"flow_max":2078003,"flow_stddev":441431.0,"c_to_s_min":143,"c_to_s_avg":293910.4,"c_to_s_max":2078003,"c_to_s_stddev":511296.9,"s_to_c_min":69,"s_to_c_avg":234201.8,"s_to_c_max":1080313,"s_to_c_stddev":327528.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":519.7,"c_to_s_max":1514,"c_to_s_stddev":621.7,"s_to_c_min":60,"s_to_c_avg":187.9,"s_to_c_max":715,"s_to_c_stddev":225.9}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1486,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976092170541,"flow_dst_last_pkt_time":1490976092236982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":8342,"flow_dst_tot_l4_payload_len":1817,"midstream":0,"thread_ts_usec":1490976092236982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":69,"flow_avg":209393.8,"flow_max":1080313,"flow_stddev":303367.1,"c_to_s_min":143,"c_to_s_avg":188963.8,"c_to_s_max":1005698,"c_to_s_stddev":280275.1,"s_to_c_min":69,"s_to_c_avg":234201.8,"s_to_c_max":1080313,"s_to_c_stddev":327528.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":519.7,"c_to_s_max":1514,"c_to_s_stddev":621.7,"s_to_c_min":60,"s_to_c_avg":187.9,"s_to_c_max":715,"s_to_c_stddev":225.9}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976093238253,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976093238253,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":1,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1490976093238253,"pkt":"AMDKkaPvePiC0\/vCCABFAABEWltAAEARM1SsECrYrBAqAaKnADUAMOTtwQkBAAABAAAAAAAAC2RwLWd3LW5hLWpzBmFtYXpvbgNjb20AAAEAAQ=="} 01011{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976093238253,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976093238253,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -605,12 +605,12 @@ 01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976107479024,"flow_dst_last_pkt_time":1490976107577887,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107577887,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}} 01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":104,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107365068,"flow_src_last_pkt_time":1490976107486585,"flow_dst_last_pkt_time":1490976107622246,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107622246,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40853,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}} 01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976107514712,"flow_dst_last_pkt_time":1490976107625580,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107625580,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}} -01579{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1748,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976108033189,"flow_dst_last_pkt_time":1490976108034115,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2227,"flow_dst_tot_l4_payload_len":13907,"midstream":0,"thread_ts_usec":1490976108034115,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":48,"flow_avg":43555.7,"flow_max":325585,"flow_stddev":81277.4,"c_to_s_min":148,"c_to_s_avg":74147.3,"c_to_s_max":325585,"c_to_s_stddev":105836.3,"s_to_c_min":48,"s_to_c_avg":27531.5,"s_to_c_max":246615,"s_to_c_stddev":58753.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":258.3,"c_to_s_max":1514,"c_to_s_stddev":413.0,"s_to_c_min":60,"s_to_c_avg":717.2,"s_to_c_max":1514,"s_to_c_stddev":451.5}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01578{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1748,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976108033189,"flow_dst_last_pkt_time":1490976108034115,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2227,"flow_dst_tot_l4_payload_len":13907,"midstream":0,"thread_ts_usec":1490976108034115,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":48,"flow_avg":37270.9,"flow_max":325585,"flow_stddev":74532.9,"c_to_s_min":148,"c_to_s_avg":57723.6,"c_to_s_max":325585,"c_to_s_stddev":96717.9,"s_to_c_min":48,"s_to_c_avg":27531.5,"s_to_c_max":246615,"s_to_c_stddev":58753.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":258.3,"c_to_s_max":1514,"c_to_s_stddev":413.0,"s_to_c_min":60,"s_to_c_avg":717.2,"s_to_c_max":1514,"s_to_c_stddev":451.5}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":2,"flow_src_last_pkt_time":1490976108360248,"flow_dst_last_pkt_time":1490976107366817,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976108360248,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8yY9AAEAGRVisECrYNu8d\/Z+XAbtod6HOAAAAAKAC\/\/8G+AAAAgQFtAQCCAoA9mikAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1813,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":3,"flow_src_last_pkt_time":1490976108360248,"flow_dst_last_pkt_time":1490976108548394,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976108548394,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwt7hAAOcGsDo27x39rBAq2AG7n5d09wMmaHehz3ASH\/4UgAAAAgQFtAEDAwY="} -01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1830,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976108753694,"flow_dst_last_pkt_time":1490976108749413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5131,"flow_dst_tot_l4_payload_len":7946,"midstream":0,"thread_ts_usec":1490976108753694,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":38,"flow_avg":91241.4,"flow_max":932653,"flow_stddev":195127.1,"c_to_s_min":120,"c_to_s_avg":90360.3,"c_to_s_max":639361,"c_to_s_stddev":158586.7,"s_to_c_min":38,"s_to_c_avg":92239.9,"s_to_c_max":932653,"s_to_c_stddev":229610.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":357.0,"c_to_s_max":1514,"c_to_s_stddev":544.0,"s_to_c_min":60,"s_to_c_avg":585.5,"s_to_c_max":1514,"s_to_c_stddev":512.3}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01488{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":138,"flow_avg":1379328.6,"flow_max":9247029,"flow_stddev":2165976.5,"c_to_s_min":276,"c_to_s_avg":1096717.5,"c_to_s_max":6019841,"c_to_s_stddev":1664405.8,"s_to_c_min":138,"s_to_c_avg":1918858.8,"s_to_c_max":9247029,"s_to_c_stddev":2813475.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":551.8,"c_to_s_max":1514,"c_to_s_stddev":616.7,"s_to_c_min":60,"s_to_c_avg":225.8,"s_to_c_max":955,"s_to_c_stddev":322.7}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":32,"flow_avg":750060.7,"flow_max":19096185,"flow_stddev":3306607.8,"c_to_s_min":348,"c_to_s_avg":1272249.9,"c_to_s_max":19096185,"c_to_s_stddev":4465268.5,"s_to_c_min":32,"s_to_c_avg":158246.3,"s_to_c_max":973197,"s_to_c_stddev":262183.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":240.4,"c_to_s_max":1514,"c_to_s_stddev":333.7,"s_to_c_min":60,"s_to_c_avg":328.1,"s_to_c_max":1514,"s_to_c_stddev":483.1}}} +01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1830,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976108753694,"flow_dst_last_pkt_time":1490976108749413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5131,"flow_dst_tot_l4_payload_len":7946,"midstream":0,"thread_ts_usec":1490976108753694,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":38,"flow_avg":89402.5,"flow_max":932653,"flow_stddev":197976.2,"c_to_s_min":120,"c_to_s_avg":86742.5,"c_to_s_max":639361,"c_to_s_stddev":162785.4,"s_to_c_min":38,"s_to_c_avg":92239.9,"s_to_c_max":932653,"s_to_c_stddev":229610.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":357.0,"c_to_s_max":1514,"c_to_s_stddev":544.0,"s_to_c_min":60,"s_to_c_avg":585.5,"s_to_c_max":1514,"s_to_c_stddev":512.3}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01488{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":138,"flow_avg":1357450.1,"flow_max":9247029,"flow_stddev":2197151.2,"c_to_s_min":276,"c_to_s_avg":1048675.2,"c_to_s_max":6019841,"c_to_s_stddev":1691238.9,"s_to_c_min":138,"s_to_c_avg":1918858.8,"s_to_c_max":9247029,"s_to_c_stddev":2813475.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":551.8,"c_to_s_max":1514,"c_to_s_stddev":616.7,"s_to_c_min":60,"s_to_c_avg":225.8,"s_to_c_max":955,"s_to_c_stddev":322.7}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":32,"flow_avg":770379.9,"flow_max":19096185,"flow_stddev":3357549.8,"c_to_s_min":348,"c_to_s_avg":1344255.1,"c_to_s_max":19096185,"c_to_s_stddev":4593108.5,"s_to_c_min":32,"s_to_c_avg":158246.3,"s_to_c_max":973197,"s_to_c_stddev":262183.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":240.4,"c_to_s_max":1514,"c_to_s_stddev":333.7,"s_to_c_min":60,"s_to_c_avg":328.1,"s_to_c_max":1514,"s_to_c_stddev":483.1}}} 01768{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","tls": {"version":"TLSv1.2","server_names":"dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com","fingerprint":"27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C"}}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976114879774,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976114879774,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":20922,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_packet_id":1,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1490976114879774,"pkt":"AMDKkaPvePiC0\/vCCABFAABBWl1AAEARM1WsECrYrBAqAVG6ADUALQ0pp4sBAAABAAAAAAAACHBpdGFuZ3VpBmFtYXpvbgNjb20AAAEAAQ=="} @@ -703,14 +703,14 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2055,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_packet_id":2,"flow_src_last_pkt_time":1490976134149854,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976134237090,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPIGPkc0VD84rBAq2ABQyxaJEqCkMupghaAScSCurAAAAgQFtAQCCAps+nR5APZytgEDAwg="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2056,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_packet_id":3,"flow_src_last_pkt_time":1490976134238394,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976134238394,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0EjNAAEAG3hysECrYNFQ\/OMsWAFAy6mCFiRKgpYAQAVdNOgAAAQEICgD2cr9s+nR5"} 01314{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2057,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976134149854,"flow_src_last_pkt_time":1490976134239068,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976134239068,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51990,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ecx.images-amazon.com","http": {"url":"ecx.images-amazon.com\/images\/I\/612xlaOI2NL._SL210_QL95_.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} -01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":120,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976134141916,"flow_src_last_pkt_time":1490976134949644,"flow_dst_last_pkt_time":1490976134943908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":15770,"midstream":0,"thread_ts_usec":1490976134949644,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51986,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":121,"flow_avg":56721.7,"flow_max":295198,"flow_stddev":99740.3,"c_to_s_min":121,"c_to_s_avg":59594.3,"c_to_s_max":286588,"c_to_s_stddev":98374.2,"s_to_c_min":127,"s_to_c_avg":53466.1,"s_to_c_max":295198,"s_to_c_stddev":101167.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.7,"c_to_s_max":613,"c_to_s_stddev":208.0,"s_to_c_min":66,"s_to_c_avg":1117.9,"s_to_c_max":1514,"s_to_c_stddev":574.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":120,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976134141916,"flow_src_last_pkt_time":1490976134949644,"flow_dst_last_pkt_time":1490976134943908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":15770,"midstream":0,"thread_ts_usec":1490976134949644,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51986,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":121,"flow_avg":51926.5,"flow_max":295198,"flow_stddev":97638.1,"c_to_s_min":121,"c_to_s_avg":50483.0,"c_to_s_max":286588,"c_to_s_stddev":94186.3,"s_to_c_min":127,"s_to_c_avg":53466.1,"s_to_c_max":295198,"s_to_c_stddev":101167.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.7,"c_to_s_max":613,"c_to_s_stddev":208.0,"s_to_c_min":66,"s_to_c_avg":1117.9,"s_to_c_max":1514,"s_to_c_stddev":574.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2236,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976136930982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976136930982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2236,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":1,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976136930982,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976136930982,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8bqFAAEAGoEasECrYNu8d\/Z+nAbuZbx1qAAAAAKAC\/\/9PLQAAAgQFtAQCCAoA9nPLAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2237,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":2,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976137042055,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwrQVAAOcGuu027x39rBAq2AG7n6dEArKimW8da3ASH\/7pVAAAAgQFtAEDAwY="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2238,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":3,"flow_src_last_pkt_time":1490976137043334,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976137043334,"pkt":"AMDKkaPvePiC0\/vCCABFAAAobqJAAEAGoFmsECrYNu8d\/Z+nAbuZbx1rRAKyo1AQAVczxgAA"} 01069{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2239,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976137044165,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976137044165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01234{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2241,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976137044165,"flow_dst_last_pkt_time":1490976137222092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976137222092,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} -01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2267,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976138976244,"flow_dst_last_pkt_time":1490976139259019,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6666,"flow_dst_tot_l4_payload_len":5757,"midstream":0,"thread_ts_usec":1490976139259019,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":186324.2,"flow_max":1589075,"flow_stddev":356764.0,"c_to_s_min":265,"c_to_s_avg":242289.1,"c_to_s_max":1589075,"c_to_s_stddev":416076.4,"s_to_c_min":24,"s_to_c_avg":136943.4,"s_to_c_max":1107068,"s_to_c_stddev":285713.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":499.7,"c_to_s_max":1514,"c_to_s_stddev":619.0,"s_to_c_min":60,"s_to_c_avg":394.9,"s_to_c_max":1514,"s_to_c_stddev":487.2}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2267,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976138976244,"flow_dst_last_pkt_time":1490976139259019,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6666,"flow_dst_tot_l4_payload_len":5757,"midstream":0,"thread_ts_usec":1490976139259019,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":141074.2,"flow_max":1107068,"flow_stddev":256640.3,"c_to_s_min":265,"c_to_s_avg":146090.1,"c_to_s_max":706579,"c_to_s_stddev":216036.1,"s_to_c_min":24,"s_to_c_avg":136943.4,"s_to_c_max":1107068,"s_to_c_stddev":285713.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":499.7,"c_to_s_max":1514,"c_to_s_stddev":619.0,"s_to_c_min":60,"s_to_c_avg":394.9,"s_to_c_max":1514,"s_to_c_stddev":487.2}},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2274,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976139642766,"flow_dst_last_pkt_time":1490976139642766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139642766,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2274,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_packet_id":1,"flow_src_last_pkt_time":1490976139642766,"flow_dst_last_pkt_time":1490976139642766,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976139642766,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8ooBAAEAGTcesECrYNFQ\/OMsYAFAytNZaAAAAAKAC\/\/+zQgAAAgQFtAQCCAoA9nTaAAAAAAEDAwg="} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2275,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":127,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976139643137,"flow_src_last_pkt_time":1490976139643137,"flow_dst_last_pkt_time":1490976139643137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139643137,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51993,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -741,8 +741,8 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2295,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_packet_id":2,"flow_src_last_pkt_time":1490976139643974,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976139711656,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPIGPkc0VD84rBAq2ABQyx1XQZuRlNdGa6AScSCQFAAAAgQFtAQCCAps+n\/1APZ03AEDAwg="} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2296,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_packet_id":3,"flow_src_last_pkt_time":1490976139713700,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976139713700,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0MrdAAEAGvZisECrYNFQ\/OMsdAFCU10ZrV0GbkoAQAVcupAAAAQEICgD2dONs+n\/1"} 01314{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2297,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976139643974,"flow_src_last_pkt_time":1490976139714237,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139714237,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51997,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ecx.images-amazon.com","http": {"url":"ecx.images-amazon.com\/images\/I\/61Tfp7ZVcoL._SL210_QL95_.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} -01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":129,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976139643559,"flow_src_last_pkt_time":1490976140004854,"flow_dst_last_pkt_time":1490976140002371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1094,"flow_dst_tot_l4_payload_len":21002,"midstream":0,"thread_ts_usec":1490976140004854,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51995,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":45,"flow_avg":34405.5,"flow_max":380869,"flow_stddev":75738.7,"c_to_s_min":120,"c_to_s_avg":49477.6,"c_to_s_max":380869,"c_to_s_stddev":102150.9,"s_to_c_min":45,"s_to_c_avg":21106.6,"s_to_c_max":113361,"s_to_c_stddev":34833.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":140.3,"c_to_s_max":613,"c_to_s_stddev":185.5,"s_to_c_min":66,"s_to_c_avg":1301.9,"s_to_c_max":1514,"s_to_c_stddev":459.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2440,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976140230625,"flow_dst_last_pkt_time":1490976140359077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":18414,"midstream":0,"thread_ts_usec":1490976140359077,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":97,"flow_avg":52632.7,"flow_max":510931,"flow_stddev":123265.5,"c_to_s_min":119,"c_to_s_avg":60495.9,"c_to_s_max":380076,"c_to_s_stddev":122109.6,"s_to_c_min":97,"s_to_c_avg":44769.4,"s_to_c_max":510931,"s_to_c_stddev":123912.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":169.8,"c_to_s_max":613,"c_to_s_stddev":212.9,"s_to_c_min":66,"s_to_c_avg":1217.4,"s_to_c_max":1514,"s_to_c_stddev":555.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":129,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976139643559,"flow_src_last_pkt_time":1490976140004854,"flow_dst_last_pkt_time":1490976140002371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1094,"flow_dst_tot_l4_payload_len":21002,"midstream":0,"thread_ts_usec":1490976140004854,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51995,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":45,"flow_avg":23229.3,"flow_max":179149,"flow_stddev":43867.1,"c_to_s_min":120,"c_to_s_avg":25806.8,"c_to_s_max":179149,"c_to_s_stddev":52683.3,"s_to_c_min":45,"s_to_c_avg":21106.6,"s_to_c_max":113361,"s_to_c_stddev":34833.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":140.3,"c_to_s_max":613,"c_to_s_stddev":185.5,"s_to_c_min":66,"s_to_c_avg":1301.9,"s_to_c_max":1514,"s_to_c_stddev":459.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2440,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976140230625,"flow_dst_last_pkt_time":1490976140359077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":18414,"midstream":0,"thread_ts_usec":1490976140359077,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":97,"flow_avg":42070.0,"flow_max":510931,"flow_stddev":110064.9,"c_to_s_min":119,"c_to_s_avg":39190.6,"c_to_s_max":368811,"c_to_s_stddev":92963.0,"s_to_c_min":97,"s_to_c_avg":44769.4,"s_to_c_max":510931,"s_to_c_stddev":123912.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":169.8,"c_to_s_max":613,"c_to_s_stddev":212.9,"s_to_c_min":66,"s_to_c_avg":1217.4,"s_to_c_max":1514,"s_to_c_stddev":555.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2480,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976142629437,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142629437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976142629437,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40878,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2480,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_packet_id":1,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142629437,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976142629437,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Si5AAEAGxLmsECrYNu8d\/Z+uAbuBOjwrAAAAAKAC\/\/9GYAAAAgQFtAQCCAoA9nYFAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2481,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_packet_id":2,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142691841,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976142691841,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw0iJAAOcGldA27x39rBAq2AG7n66gUyr3gTo8LHASH\/4OHAAAAgQFtAEDAwY="} @@ -759,7 +759,7 @@ 00873{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022731312,"flow_src_last_pkt_time":1490976022731374,"flow_dst_last_pkt_time":1490976022731312,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ffd3:fbc2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00878{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976027958387,"flow_src_last_pkt_time":1490976030758514,"flow_dst_last_pkt_time":1490976027958387,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00888{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":0,"flow_first_seen":1490976023731065,"flow_src_last_pkt_time":1490976031750280,"flow_dst_last_pkt_time":1490976023731065,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"fe80::7af8:82ff:fed3:fbc2","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":33,"flow_avg":3846331.8,"flow_max":120002762,"flow_stddev":20862698.0,"c_to_s_min":1626,"c_to_s_avg":104897.9,"c_to_s_max":290013,"c_to_s_stddev":112665.4,"s_to_c_min":33,"s_to_c_avg":7147597.0,"s_to_c_max":120002762,"s_to_c_stddev":28214132.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":431.5,"c_to_s_max":1514,"c_to_s_stddev":564.7,"s_to_c_min":66,"s_to_c_avg":467.3,"s_to_c_max":1514,"s_to_c_stddev":574.1}}} +01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":33,"flow_avg":3968339.8,"flow_max":120002762,"flow_stddev":21185284.0,"c_to_s_min":1626,"c_to_s_avg":107813.6,"c_to_s_max":290013,"c_to_s_stddev":116071.7,"s_to_c_min":33,"s_to_c_avg":7147597.0,"s_to_c_max":120002762,"s_to_c_stddev":28214132.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":431.5,"c_to_s_max":1514,"c_to_s_stddev":564.7,"s_to_c_min":66,"s_to_c_avg":467.3,"s_to_c_max":1514,"s_to_c_stddev":574.1}}} 01819{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2531,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976158680003,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976158680003,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45751,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2531,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_packet_id":1,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976158680003,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8\/ohAAEAGSGasECrYNF7ohrK3Abt2joLDAAAAAKAC\/\/8pLAAAAgQFtAQCCAoA9nxLAAAAAAEDAwg="} @@ -873,7 +873,7 @@ 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187511761,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":1,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976187511761,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8IbxAAEAG7nasECrYNu8cspdlAbtMyaYzAAAAAKAC\/\/8I0wAAAgQFtAQCCAoA9oePAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2739,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":2,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976187571606,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw3K9AAOcGjI427xyyrBAq2AG7l2UCDLyqTMmmNHASH\/7urAAAAgQFtAEDAwY="} -01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":112,"flow_avg":644934.8,"flow_max":8001087,"flow_stddev":1878348.2,"c_to_s_min":136,"c_to_s_avg":574579.8,"c_to_s_max":7767064,"c_to_s_stddev":1753654.0,"s_to_c_min":112,"s_to_c_avg":735391.2,"s_to_c_max":8001087,"s_to_c_stddev":2023841.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":512.3,"c_to_s_max":1514,"c_to_s_stddev":628.5,"s_to_c_min":60,"s_to_c_avg":344.1,"s_to_c_max":1514,"s_to_c_stddev":507.6}}} +01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":112,"flow_avg":664331.6,"flow_max":8001087,"flow_stddev":1905246.8,"c_to_s_min":136,"c_to_s_avg":605811.9,"c_to_s_max":7767064,"c_to_s_stddev":1799623.5,"s_to_c_min":112,"s_to_c_avg":735391.2,"s_to_c_max":8001087,"s_to_c_stddev":2023841.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":512.3,"c_to_s_max":1514,"c_to_s_stddev":628.5,"s_to_c_min":60,"s_to_c_avg":344.1,"s_to_c_max":1514,"s_to_c_stddev":507.6}}} 01949{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2742,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":3,"flow_src_last_pkt_time":1490976187575232,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976187575232,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoIb1AAEAG7omsECrYNu8cspdlAbtMyaY0Agy8q1AQAVc5HgAA"} 01159{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2743,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187577439,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187577439,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} @@ -902,7 +902,7 @@ 01195{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2820,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195670657,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195724734,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01263{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2824,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195762060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1490976195762060,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}}} 02431{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2826,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195763002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":3987,"midstream":0,"thread_ts_usec":1490976195763002,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","fingerprint":"54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42"}}} -01209{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":40129.5,"flow_max":595939,"flow_stddev":104403.1,"c_to_s_min":253,"c_to_s_avg":62694.9,"c_to_s_max":595939,"c_to_s_stddev":145818.0,"s_to_c_min":49,"s_to_c_avg":20218.8,"s_to_c_max":105973,"s_to_c_stddev":30175.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":337.5,"c_to_s_max":1514,"c_to_s_stddev":494.7,"s_to_c_min":66,"s_to_c_avg":718.2,"s_to_c_max":1514,"s_to_c_stddev":628.2}}} +01207{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":22200.1,"flow_max":105973,"flow_stddev":31062.3,"c_to_s_min":253,"c_to_s_avg":24606.0,"c_to_s_max":101959,"c_to_s_stddev":31941.2,"s_to_c_min":49,"s_to_c_avg":20218.8,"s_to_c_max":105973,"s_to_c_stddev":30175.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":337.5,"c_to_s_max":1514,"c_to_s_stddev":494.7,"s_to_c_min":66,"s_to_c_avg":718.2,"s_to_c_max":1514,"s_to_c_stddev":628.2}}} 01722{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976195921499,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":49,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195921499,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packet_id":1,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1490976195921499,"pkt":"AMDKkaPvePiC0\/vCCABFAABNWmZAAEARM0CsECrYrBAqARIEADUAOVP\/iiYBAAABAAAAAAAACWltYWdlcy1uYRFzc2wtaW1hZ2VzLWFtYXpvbgNjb20AAAEAAQ=="} @@ -952,13 +952,13 @@ 01278{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196257995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196261315,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1.2","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01338{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2950,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196300973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1490976196300973,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1.2","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01914{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2952,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196301692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":3462,"midstream":0,"thread_ts_usec":1490976196301692,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} -01206{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":54,"flow_avg":33852.2,"flow_max":261773,"flow_stddev":58127.5,"c_to_s_min":133,"c_to_s_avg":34515.1,"c_to_s_max":216850,"c_to_s_stddev":52155.8,"s_to_c_min":54,"s_to_c_avg":33189.3,"s_to_c_max":261773,"s_to_c_stddev":63533.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":402.2,"c_to_s_max":1343,"c_to_s_stddev":532.8,"s_to_c_min":66,"s_to_c_avg":859.9,"s_to_c_max":1514,"s_to_c_stddev":626.5}}} +01206{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":54,"flow_avg":32922.3,"flow_max":261773,"flow_stddev":58822.9,"c_to_s_min":133,"c_to_s_avg":32637.5,"c_to_s_max":216850,"c_to_s_stddev":53340.2,"s_to_c_min":54,"s_to_c_avg":33189.3,"s_to_c_max":261773,"s_to_c_stddev":63533.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":402.2,"c_to_s_max":1343,"c_to_s_stddev":532.8,"s_to_c_min":66,"s_to_c_avg":859.9,"s_to_c_max":1514,"s_to_c_stddev":626.5}}} 01681{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}} -01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196651032,"flow_dst_last_pkt_time":1490976196769763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":666,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1652,"flow_dst_tot_l4_payload_len":16510,"midstream":0,"thread_ts_usec":1490976196769763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":30543.0,"flow_max":241435,"flow_stddev":56516.1,"c_to_s_min":131,"c_to_s_avg":43161.1,"c_to_s_max":227149,"c_to_s_stddev":64026.8,"s_to_c_min":67,"s_to_c_avg":24807.5,"s_to_c_max":241435,"s_to_c_stddev":51742.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":233.2,"c_to_s_max":732,"c_to_s_stddev":257.2,"s_to_c_min":66,"s_to_c_avg":816.8,"s_to_c_max":1514,"s_to_c_stddev":591.7}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196651032,"flow_dst_last_pkt_time":1490976196769763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":666,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1652,"flow_dst_tot_l4_payload_len":16510,"midstream":0,"thread_ts_usec":1490976196769763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":31380.5,"flow_max":241435,"flow_stddev":57224.6,"c_to_s_min":131,"c_to_s_avg":47448.1,"c_to_s_max":227149,"c_to_s_stddev":66114.6,"s_to_c_min":67,"s_to_c_avg":24807.5,"s_to_c_max":241435,"s_to_c_stddev":51742.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":233.2,"c_to_s_max":732,"c_to_s_stddev":257.2,"s_to_c_min":66,"s_to_c_avg":816.8,"s_to_c_max":1514,"s_to_c_stddev":591.7}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1490976196840676,"pkt":"AMDKkaPvePiC0\/vCCABFAAA\/WmdAAEARM02sECrYrBAqAQqTADUAK8ZJ2BYBAAABAAAAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAE="} 01006{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01205{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":50,"flow_avg":57458.2,"flow_max":264056,"flow_stddev":84637.5,"c_to_s_min":124,"c_to_s_avg":53203.4,"c_to_s_max":222252,"c_to_s_stddev":73938.4,"s_to_c_min":50,"s_to_c_avg":62928.5,"s_to_c_max":264056,"s_to_c_stddev":96393.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":371.7,"c_to_s_max":1351,"c_to_s_stddev":524.4,"s_to_c_min":66,"s_to_c_avg":770.6,"s_to_c_max":1514,"s_to_c_stddev":605.6}}} +01205{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":50,"flow_avg":57253.4,"flow_max":264056,"flow_stddev":85984.0,"c_to_s_min":124,"c_to_s_avg":52579.8,"c_to_s_max":222252,"c_to_s_stddev":76035.9,"s_to_c_min":50,"s_to_c_avg":62928.5,"s_to_c_max":264056,"s_to_c_stddev":96393.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":371.7,"c_to_s_max":1351,"c_to_s_stddev":524.4,"s_to_c_min":66,"s_to_c_avg":770.6,"s_to_c_max":1514,"s_to_c_stddev":605.6}}} 01680{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976196938799,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP7ApAAEARoZmsECoBrBAq2AA1CpMAO2jR2BaBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAA7AARIFc55"} 01022{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976196938799,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.121"}}} @@ -969,7 +969,7 @@ 01063{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3355,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976196942963,"flow_src_last_pkt_time":1490976197026574,"flow_dst_last_pkt_time":1490976197023104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":205,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197026574,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3357,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976197297649,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197297649,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3357,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":1,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976197297649,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8At9AAEAGSmasECrYSBXOebn2AbvarIm+AAAAAKAC\/\/+uEwAAAgQFtAQCCAoA9othAAAAAAEDAwg="} -01217{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":32,"flow_avg":597346.6,"flow_max":7470598,"flow_stddev":1457565.9,"c_to_s_min":127,"c_to_s_avg":480740.2,"c_to_s_max":3665356,"c_to_s_stddev":932493.2,"s_to_c_min":32,"s_to_c_avg":747269.3,"s_to_c_max":7470598,"s_to_c_stddev":1923032.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":634.9,"c_to_s_max":1514,"c_to_s_stddev":654.9,"s_to_c_min":60,"s_to_c_avg":418.4,"s_to_c_max":1514,"s_to_c_stddev":592.6}}} +01217{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":32,"flow_avg":614473.9,"flow_max":7470598,"flow_stddev":1477715.5,"c_to_s_min":127,"c_to_s_avg":505113.1,"c_to_s_max":3665356,"c_to_s_stddev":953939.5,"s_to_c_min":32,"s_to_c_avg":747269.3,"s_to_c_max":7470598,"s_to_c_stddev":1923032.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":634.9,"c_to_s_max":1514,"c_to_s_stddev":654.9,"s_to_c_min":60,"s_to_c_avg":418.4,"s_to_c_max":1514,"s_to_c_stddev":592.6}}} 01628{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3361,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976197355099,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw5DlAAOcGwhZIFc55rBAq2AG7ufYaDpo72qyJv3ASH\/6iLAAAAgQFtAEDAwY="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3362,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1490976197356307,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976197356307,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoAuBAAEAGSnmsECrYSBXOebn2AbvarIm\/Gg6aPFAQAVfsnQAA"} diff --git a/test/results/amqp.pcap.out b/test/results/amqp.pcap.out index e170e0ec7..0f3455a9b 100644 --- a/test/results/amqp.pcap.out +++ b/test/results/amqp.pcap.out @@ -15,7 +15,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1490904169152163,"flow_dst_last_pkt_time":1490904169152192,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490904169152192,"pkt":"AAAAAAAAAAAAAAAACABFAAA01sFAAEAGZQB\/AAEBfwAAARYorK7a34rgiptOLIAQDAj\/KAAAAQEICgC+2LgAvti4"} 00715{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1490904169152378,"flow_dst_last_pkt_time":1490904169152192,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":206,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":206,"pkt_l4_len":172,"thread_ts_usec":1490904169152378,"pkt":"AAAAAAAAAAAAAAAACABFAADAPzxAAEAG+\/l\/AAABfwABAayuFiiKm04s2t+K4IAYAV7\/tAAAAQEICgC+2LgAvti4AgABAAAAhAA8AAAAAAAAAAAA7v4AHmFwcGxpY2F0aW9uL3gtcHl0aG9uLXNlcmlhbGl6ZQZiaW5hcnkAAAAAAgAkZjMzYWFlMjctNjlmNC00ZjQ4LWIwYmMtMmVmZGM0NTVjMTI4JGFiZjI3YmI1LTAxNDktM2RiZC1hMmRiLWQzNTcyYzMwOTc5MM4="} 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"amqp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490904166119482,"flow_src_last_pkt_time":1490904169152864,"flow_dst_last_pkt_time":1490904169156013,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":425,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":448,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":1321,"flow_dst_tot_l4_payload_len":21,"midstream":1,"thread_ts_usec":1490904169156013,"l3_proto":"ip4","src_ip":"127.0.1.1","dst_ip":"127.0.0.1","src_port":5672,"dst_port":44204,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904169595775,"flow_dst_last_pkt_time":1490904169595788,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904169595788,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":31,"flow_avg":23923328.0,"flow_max":758592742,"flow_stddev":131951576.0,"c_to_s_min":94,"c_to_s_avg":47629352.0,"c_to_s_max":758592742,"c_to_s_stddev":183570720.0,"s_to_c_min":31,"s_to_c_avg":217305.4,"s_to_c_max":2001684,"s_to_c_stddev":529635.0},"pktlen": {"c_to_s_min":103,"c_to_s_avg":198.1,"c_to_s_max":395,"c_to_s_stddev":105.2,"s_to_c_min":66,"s_to_c_avg":66.0,"s_to_c_max":66,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +01326{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904169595775,"flow_dst_last_pkt_time":1490904169595788,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904169595788,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":31,"flow_avg":224314.8,"flow_max":2001684,"flow_stddev":536643.9,"c_to_s_min":94,"c_to_s_avg":231791.5,"c_to_s_max":2001663,"c_to_s_stddev":543921.0,"s_to_c_min":31,"s_to_c_avg":217305.4,"s_to_c_max":2001684,"s_to_c_stddev":529635.0},"pktlen": {"c_to_s_min":103,"c_to_s_avg":198.1,"c_to_s_max":395,"c_to_s_stddev":105.2,"s_to_c_min":66,"s_to_c_avg":66.0,"s_to_c_max":66,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00896{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":9,"flow_first_seen":1490904166119482,"flow_src_last_pkt_time":1490904170242659,"flow_dst_last_pkt_time":1490904170206101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":448,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":3469,"flow_dst_tot_l4_payload_len":105,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.1.1","dst_ip":"127.0.0.1","src_port":5672,"dst_port":44204,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00895{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":54,"flow_dst_packets_processed":54,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904170243601,"flow_dst_last_pkt_time":1490904170243630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":7295,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00895{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":15,"flow_first_seen":1490904169152163,"flow_src_last_pkt_time":1490904170195756,"flow_dst_last_pkt_time":1490904170195765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2085,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44206,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} @@ -33,5 +33,5 @@ ~~ total allocations/frees...: 121617/121617 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1345 chars -~~ json string avg len.......: 906 chars +~~ json string max len.......: 1331 chars +~~ json string avg len.......: 899 chars diff --git a/test/results/android.pcap.out b/test/results/android.pcap.out index 75dcfd492..459e8c782 100644 --- a/test/results/android.pcap.out +++ b/test/results/android.pcap.out @@ -294,7 +294,7 @@ 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871881494,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1582454871881494,"pkt":"xiwDYGpkTGr2n\/YnCABFAABErDBAAEARCRfAqAIQwKgCAZtQADUAMNjjuKUBAAABAAAAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAQ=="} 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454871881494,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871881494,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454871881494,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39760,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"android.googleapis.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 01117{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":408,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1582454871829800,"flow_src_last_pkt_time":1582454871890562,"flow_dst_last_pkt_time":1582454871867294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454871890562,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DataSaver","proto_id":"91.46","encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"proxy.googlezip.net","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01465{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":431,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1582454871152402,"flow_src_last_pkt_time":1582454871906464,"flow_dst_last_pkt_time":1582454871901421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":819,"flow_dst_tot_l4_payload_len":10828,"midstream":0,"thread_ts_usec":1582454871906464,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":47407.8,"flow_max":404574,"flow_stddev":102775.1,"c_to_s_min":10,"c_to_s_avg":45178.4,"c_to_s_max":386517,"c_to_s_stddev":96695.7,"s_to_c_min":3,"s_to_c_avg":49934.6,"s_to_c_max":404574,"s_to_c_stddev":109201.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":114.6,"c_to_s_max":578,"c_to_s_stddev":124.7,"s_to_c_min":66,"s_to_c_avg":788.4,"s_to_c_max":1484,"s_to_c_stddev":626.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01465{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":431,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1582454871152402,"flow_src_last_pkt_time":1582454871906464,"flow_dst_last_pkt_time":1582454871901421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":819,"flow_dst_tot_l4_payload_len":10828,"midstream":0,"thread_ts_usec":1582454871906464,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":48486.5,"flow_max":404574,"flow_stddev":104241.1,"c_to_s_min":10,"c_to_s_avg":47128.9,"c_to_s_max":386517,"c_to_s_stddev":99346.7,"s_to_c_min":3,"s_to_c_avg":49934.6,"s_to_c_max":404574,"s_to_c_stddev":109201.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":114.6,"c_to_s_max":578,"c_to_s_stddev":124.7,"s_to_c_min":66,"s_to_c_avg":788.4,"s_to_c_max":1484,"s_to_c_stddev":626.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01163{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":434,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454871839297,"flow_src_last_pkt_time":1582454871880409,"flow_dst_last_pkt_time":1582454871911317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1582454871911317,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","tls": {"version":"TLSv1.3","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01166{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":437,"source":"android.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454871814833,"flow_src_last_pkt_time":1582454871879681,"flow_dst_last_pkt_time":1582454871913572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":594,"flow_dst_max_l4_payload_len":212,"flow_src_tot_l4_payload_len":594,"flow_dst_tot_l4_payload_len":212,"midstream":0,"thread_ts_usec":1582454871913572,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51944,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DataSaver","proto_id":"91.46","encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"datasaver.googleapis.com","tls": {"version":"TLSv1.3","ja3":"554719594ba90b02ae410c297c6e50ad","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871920611,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"thread_ts_usec":1582454871920611,"pkt":"TGr2n\/YnxiwDYGpkCABFAABUFXQAAEAR38PAqAIBwKgCEAA1m1AAQNQ0uKWBgAABAAEAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAcAMAAEAAQAAARcABKzZFgo="} diff --git a/test/results/anyconnect-vpn.pcap.out b/test/results/anyconnect-vpn.pcap.out index 166657c91..259c05462 100644 --- a/test/results/anyconnect-vpn.pcap.out +++ b/test/results/anyconnect-vpn.pcap.out @@ -66,7 +66,7 @@ 01148{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245727730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687245728221,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01302{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245772680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687245772680,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","alpn":"http\/1.1"}}} 01792{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245813667,"flow_dst_last_pkt_time":1569687245851826,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687245851826,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} -01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":21634.9,"flow_max":71520,"flow_stddev":21413.0,"c_to_s_min":1,"c_to_s_avg":21837.1,"c_to_s_max":44938,"c_to_s_stddev":19755.6,"s_to_c_min":1,"s_to_c_avg":21432.7,"s_to_c_max":71520,"s_to_c_stddev":22949.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":422.6,"c_to_s_max":1514,"c_to_s_stddev":556.7,"s_to_c_min":66,"s_to_c_avg":597.8,"s_to_c_max":1514,"s_to_c_stddev":627.1}}} +01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":22175.9,"flow_max":71520,"flow_stddev":21576.5,"c_to_s_min":1,"c_to_s_avg":22972.2,"c_to_s_max":44938,"c_to_s_stddev":19970.8,"s_to_c_min":1,"s_to_c_avg":21432.7,"s_to_c_max":71520,"s_to_c_stddev":22949.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":422.6,"c_to_s_max":1514,"c_to_s_stddev":556.7,"s_to_c_min":66,"s_to_c_avg":597.8,"s_to_c_max":1514,"s_to_c_stddev":627.1}}} 01796{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687246891499,"flow_src_last_pkt_time":1569687246891499,"flow_dst_last_pkt_time":1569687246891499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687246891499,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1569687246891499,"flow_dst_last_pkt_time":1569687246891499,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1569687246891499,"pkt":"LH6BsEqhNDY7z3UoCABFAAAzrdgAAP8Ra2cKAADjS0tMTPaDADUAH3AoGBgBAAABAAAAAAAABWxvY2FsAAAGAAE="} @@ -172,7 +172,7 @@ 01027{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687261485620,"flow_src_last_pkt_time":1569687261485620,"flow_dst_last_pkt_time":1569687261501464,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":51,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":103,"flow_src_tot_l4_payload_len":51,"flow_dst_tot_l4_payload_len":103,"midstream":0,"thread_ts_usec":1569687261501464,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":59222,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lp-rkerur-osx.hsd1.ca.comcast.net","dns": {"num_queries":1,"num_answers":1,"reply_code":3,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":226,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1569687261486499,"flow_dst_last_pkt_time":1569687261506389,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":145,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":145,"pkt_l4_len":111,"thread_ts_usec":1569687261506389,"pkt":"NDY7z3UoLH6BsEqhCABFAACDAABAADoRnvFLS0tLCgAA4wA13rkAbznpXq+BgwABAAAAAQAADUxQLVJLRVJVUi1PU1gEaHNkMQJjYQdjb21jYXN0A25ldAAAHAABwBoABgABAAAcIAAoBmRuczEwMcAiCGRuc2FkbWluwCIBawJtAAAcIAAADhAACTqAAAAcIA=="} 01028{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":226,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687261486499,"flow_src_last_pkt_time":1569687261486499,"flow_dst_last_pkt_time":1569687261506389,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":51,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":103,"flow_src_tot_l4_payload_len":51,"flow_dst_tot_l4_payload_len":103,"midstream":0,"thread_ts_usec":1569687261506389,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":57017,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lp-rkerur-osx.hsd1.ca.comcast.net","dns": {"num_queries":1,"num_answers":1,"reply_code":3,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01914{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":229,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687260591875,"flow_src_last_pkt_time":1569687261807505,"flow_dst_last_pkt_time":1569687261836138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1195,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":2943,"flow_dst_tot_l4_payload_len":4489,"midstream":0,"thread_ts_usec":1569687261836138,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":272,"flow_avg":80711.1,"flow_max":384774,"flow_stddev":119916.5,"c_to_s_min":272,"c_to_s_avg":83655.8,"c_to_s_max":358152,"c_to_s_stddev":113440.9,"s_to_c_min":1730,"s_to_c_avg":77766.4,"s_to_c_max":384774,"s_to_c_stddev":125991.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":250.7,"c_to_s_max":1261,"c_to_s_stddev":328.9,"s_to_c_min":66,"s_to_c_avg":347.3,"s_to_c_max":1434,"s_to_c_stddev":483.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01914{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":229,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687260591875,"flow_src_last_pkt_time":1569687261807505,"flow_dst_last_pkt_time":1569687261836138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1195,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":2943,"flow_dst_tot_l4_payload_len":4489,"midstream":0,"thread_ts_usec":1569687261836138,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":272,"flow_avg":79351.4,"flow_max":384774,"flow_stddev":121592.3,"c_to_s_min":272,"c_to_s_avg":81042.0,"c_to_s_max":358152,"c_to_s_stddev":116693.8,"s_to_c_min":1730,"s_to_c_avg":77766.4,"s_to_c_max":384774,"s_to_c_stddev":125991.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":250.7,"c_to_s_max":1261,"c_to_s_stddev":328.9,"s_to_c_min":66,"s_to_c_avg":347.3,"s_to_c_max":1434,"s_to_c_stddev":483.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687262866211,"flow_src_last_pkt_time":1569687262866211,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687262866211,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"162.222.43.153","src_port":56881,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1569687262866211,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1569687262866211,"pkt":"LH6BsEqhNDY7z3UoCABFAABEAABAAEAGYVoKAADjot4rmd4xAbu3QBvT9S8yS4AYEAD8CwAAAQEIChwNvkTkAuRNDi2ISqeLxJuBXTMcrWivnw=="} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1569687262866958,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":292,"pkt_l4_len":258,"thread_ts_usec":1569687262866958,"pkt":"LH6BsEqhNDY7z3UoCABFAAEWAABAAEAGYIgKAADjot4rmd4xAbu3QBvj9S8yS4AYEACf4gAAAQEIChwNvkTkAuRNC2FzYPnyOhEIxzv9HgAAAQAAAAAABf0HAAAAAAAAAFYAAAAAABO4pgAAAfJ1AAAAGzdZOcQAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAAEjynVwAAAAAACz6PAAAAAABmQ+JAyo3EgU6LQwAAAAAAAAAAAAAACK7duMsBAQAAAAELYXNg+fI6EQjHO\/0eAAABAAAAAAAF\/QcAAAAAAAAAVgAAAAAAE7imAAAB8nUAAAAbN1k5xAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAAAASPKdXAAAAAAALPo8AAAAAAAAAAQ=="} @@ -184,7 +184,7 @@ 01251{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":301,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267077459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687267079534,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01405{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":303,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267125585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687267125585,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}}} 01895{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267166003,"flow_dst_last_pkt_time":1569687267203156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687267203156,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} -01199{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":39806.9,"flow_max":397693,"flow_stddev":76177.3,"c_to_s_min":1,"c_to_s_avg":63015.2,"c_to_s_max":397693,"c_to_s_stddev":104556.3,"s_to_c_min":1,"s_to_c_avg":22400.7,"s_to_c_max":138032,"s_to_c_stddev":35344.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":164.9,"c_to_s_max":1031,"c_to_s_stddev":249.4,"s_to_c_min":66,"s_to_c_avg":854.6,"s_to_c_max":1514,"s_to_c_stddev":666.4}}} +01197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":26551.9,"flow_max":138032,"flow_stddev":33142.4,"c_to_s_min":1,"c_to_s_avg":32590.0,"c_to_s_max":97159,"c_to_s_stddev":28591.7,"s_to_c_min":1,"s_to_c_avg":22400.7,"s_to_c_max":138032,"s_to_c_stddev":35344.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":164.9,"c_to_s_max":1031,"c_to_s_stddev":249.4,"s_to_c_min":66,"s_to_c_avg":854.6,"s_to_c_max":1514,"s_to_c_stddev":666.4}}} 01899{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687267453127,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687267453127,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569687267453127,"pkt":"pHczjPFANDY7z3UoCABFAAA0AABAAEAGJU0KAADjCgAAld4hH0glPK3eiXsRe4AREAA75QAAAQEIChwN0AsAIb2q"} @@ -278,7 +278,7 @@ 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_src_last_pkt_time":1569687268746220,"flow_dst_last_pkt_time":1569687268789706,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1569687268789706,"pkt":"NDY7z3UoLH6BsEqhCABFAABMkFUAAPcRuegIJWZbCgAA4wG701sAOF8pFgEAAAAAAAAAAAAAIwMAABcAAAAAAAAAFwEAFGKRvPEadu7FYjYhjKxM1MN8EkEd"} 00664{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_src_last_pkt_time":1569687268790107,"flow_dst_last_pkt_time":1569687268789706,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":161,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":161,"pkt_l4_len":127,"thread_ts_usec":1569687268790107,"pkt":"LH6BsEqhNDY7z3UoCABFAACTQPwAAEARv\/sKAADjCCVmW9NbAbsAf9nwFgEAAAAAAAAAAAEAagEAAF4AAQAAAAAAXgEA7YnEaZ6hZImmhCHr0JUfCBctWVvywlB71JRnxl7mI4ogm7BxyKgEQGFPg0eizi7+AVQMevU74i4erAc5hyngJu8UYpG88Rp27sViNiGMrEzUw3wSQR0AAgA5AQA="} 01000{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":465,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268790107,"flow_dst_last_pkt_time":1569687268836308,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":119,"flow_dst_max_l4_payload_len":188,"flow_src_tot_l4_payload_len":218,"flow_dst_tot_l4_payload_len":236,"midstream":0,"thread_ts_usec":1569687268836308,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01459{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268990048,"flow_dst_last_pkt_time":1569687268992240,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":93,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":157,"flow_dst_max_l4_payload_len":365,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3458,"midstream":0,"thread_ts_usec":1569687268992240,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":29136.8,"flow_max":442529,"flow_stddev":76515.5,"c_to_s_min":136,"c_to_s_avg":42897.3,"c_to_s_max":442529,"c_to_s_stddev":104682.3,"s_to_c_min":1,"s_to_c_avg":15376.2,"s_to_c_max":46982,"s_to_c_stddev":19291.6},"pktlen": {"c_to_s_min":135,"c_to_s_avg":168.0,"c_to_s_max":199,"c_to_s_stddev":16.8,"s_to_c_min":90,"s_to_c_avg":258.1,"s_to_c_max":407,"s_to_c_stddev":75.2}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268990048,"flow_dst_last_pkt_time":1569687268992240,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":93,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":157,"flow_dst_max_l4_payload_len":365,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3458,"midstream":0,"thread_ts_usec":1569687268992240,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":15801.5,"flow_max":47070,"flow_stddev":18787.6,"c_to_s_min":136,"c_to_s_avg":16255.2,"c_to_s_max":47070,"c_to_s_stddev":18223.6,"s_to_c_min":1,"s_to_c_avg":15376.2,"s_to_c_max":46982,"s_to_c_stddev":19291.6},"pktlen": {"c_to_s_min":135,"c_to_s_avg":168.0,"c_to_s_max":199,"c_to_s_stddev":16.8,"s_to_c_min":90,"s_to_c_avg":258.1,"s_to_c_max":407,"s_to_c_stddev":75.2}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":519,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687269094582,"flow_src_last_pkt_time":1569687269094582,"flow_dst_last_pkt_time":1569687269094582,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687269094582,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.1","src_port":52595,"dst_port":192,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":519,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1569687269094582,"flow_dst_last_pkt_time":1569687269094582,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":46,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":46,"pkt_l4_len":12,"thread_ts_usec":1569687269094582,"pkt":"LH6BsEqhNDY7z3UoCABFAAAg7WwAAEAReH0KAADjCgAAAc1zAMAADBGuCAEDEA=="} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":578,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687269223066,"flow_src_last_pkt_time":1569687269223066,"flow_dst_last_pkt_time":1569687269223066,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":311,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687269223066,"l3_proto":"ip4","src_ip":"10.0.0.151","dst_ip":"10.0.0.227","src_port":1900,"dst_port":57547,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/anydesk-2.pcap.out b/test/results/anydesk-2.pcap.out index e800c029d..69d352945 100644 --- a/test/results/anydesk-2.pcap.out +++ b/test/results/anydesk-2.pcap.out @@ -22,7 +22,7 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1613977595407676,"flow_dst_last_pkt_time":1613977595407489,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1613977595407676,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGthLAqAGywKgBu8tHG54tLA3dVf0iy1AQIABwXwAAAAAAAAAA"} 01367{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":17,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595407489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977595408312,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01788{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595549041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":813,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":813,"midstream":0,"thread_ts_usec":1613977595549041,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"4b505adfb4a921c5a3a39d293b0811e1","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E"}}} -01852{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":328,"flow_avg":805563.0,"flow_max":9837356,"flow_stddev":1936206.9,"c_to_s_min":333,"c_to_s_avg":1157023.9,"c_to_s_max":9837356,"c_to_s_stddev":2549565.5,"s_to_c_min":328,"s_to_c_avg":454102.1,"s_to_c_max":3021750,"s_to_c_stddev":866291.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":462.9,"c_to_s_max":3980,"c_to_s_stddev":1028.2,"s_to_c_min":60,"s_to_c_avg":209.5,"s_to_c_max":1514,"s_to_c_stddev":377.6}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":328,"flow_avg":471052.1,"flow_max":3021750,"flow_stddev":868685.8,"c_to_s_min":333,"c_to_s_avg":489306.0,"c_to_s_max":2966766,"c_to_s_stddev":870888.5,"s_to_c_min":328,"s_to_c_avg":454102.1,"s_to_c_max":3021750,"s_to_c_stddev":866291.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":462.9,"c_to_s_max":3980,"c_to_s_stddev":1028.2,"s_to_c_min":60,"s_to_c_avg":209.5,"s_to_c_max":1514,"s_to_c_stddev":377.6}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00770{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2521,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595964011,"flow_dst_last_pkt_time":1613977595963376,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1286,"flow_dst_max_l4_payload_len":914,"flow_src_tot_l4_payload_len":1549,"flow_dst_tot_l4_payload_len":1767,"midstream":0,"thread_ts_usec":1613977618224857,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01417{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2521,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":947,"flow_dst_packets_processed":1555,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977618224574,"flow_dst_last_pkt_time":1613977618224857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5506,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1977868,"flow_dst_tot_l4_payload_len":24838,"midstream":0,"thread_ts_usec":1613977618224857,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00919{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2521,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1613977585542630,"flow_src_last_pkt_time":1613977585542630,"flow_dst_last_pkt_time":1613977585553797,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1613977618224857,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":55376,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AnyDesk","proto_id":"5.252","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} @@ -41,5 +41,5 @@ ~~ total allocations/frees...: 123999/123999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 480 chars -~~ json string max len.......: 1857 chars -~~ json string avg len.......: 1167 chars +~~ json string max len.......: 1854 chars +~~ json string avg len.......: 1166 chars diff --git a/test/results/anydesk.pcap.out b/test/results/anydesk.pcap.out index 6098de2be..2d77e7f2b 100644 --- a/test/results/anydesk.pcap.out +++ b/test/results/anydesk.pcap.out @@ -12,7 +12,7 @@ 01504{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199366001,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1591342199366725,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01566{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199532111,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1591342199532111,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}}} 01873{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199532151,"flow_dst_last_pkt_time":1591342199532596,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":2600,"midstream":0,"thread_ts_usec":1591342199532596,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} -01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":176354.6,"flow_max":1602919,"flow_stddev":388064.9,"c_to_s_min":7,"c_to_s_avg":140359.3,"c_to_s_max":1216321,"c_to_s_stddev":299187.9,"s_to_c_min":2,"s_to_c_avg":208115.2,"s_to_c_max":1602919,"s_to_c_stddev":449819.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":435.1,"c_to_s_max":1514,"c_to_s_stddev":567.0,"s_to_c_min":60,"s_to_c_avg":381.6,"s_to_c_max":1514,"s_to_c_stddev":543.3}}} +01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":176540.0,"flow_max":1602919,"flow_stddev":394272.9,"c_to_s_min":7,"c_to_s_avg":138198.6,"c_to_s_max":1216321,"c_to_s_stddev":309575.8,"s_to_c_min":2,"s_to_c_avg":208115.2,"s_to_c_max":1602919,"s_to_c_stddev":449819.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":435.1,"c_to_s_max":1514,"c_to_s_stddev":567.0,"s_to_c_min":60,"s_to_c_avg":381.6,"s_to_c_max":1514,"s_to_c_stddev":543.3}}} 01877{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":40,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} 01170{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1591342198821353,"flow_src_last_pkt_time":1591342244652502,"flow_dst_last_pkt_time":1591342244652493,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":159,"flow_src_tot_l4_payload_len":252,"flow_dst_tot_l4_payload_len":355,"midstream":1,"thread_ts_usec":1591342255171414,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01520{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2942,"flow_dst_packets_processed":4001,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342255171414,"flow_dst_last_pkt_time":1591342255171331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":16215,"flow_dst_tot_l4_payload_len":2401200,"midstream":0,"thread_ts_usec":1591342255171414,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} diff --git a/test/results/bad-dns-traffic.pcap.out b/test/results/bad-dns-traffic.pcap.out index 5e4b824d7..e95492d89 100644 --- a/test/results/bad-dns-traffic.pcap.out +++ b/test/results/bad-dns-traffic.pcap.out @@ -17,7 +17,7 @@ 01193{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012638093433,"flow_dst_last_pkt_time":1486012635073060,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":364,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012638093433,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"46b100fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":5,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012639101974,"flow_dst_last_pkt_time":1486012635073060,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":455,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012639101974,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":16,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 01308{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012639101974,"flow_dst_last_pkt_time":1486012639174914,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":122,"flow_src_tot_l4_payload_len":455,"flow_dst_tot_l4_payload_len":122,"midstream":0,"thread_ts_usec":1486012639174914,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":16,"rsp_type":16,"rsp_addr":"0.0.0.0"}}} -01596{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012651592518,"flow_dst_last_pkt_time":1486012651846910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1392,"flow_dst_tot_l4_payload_len":1397,"midstream":0,"thread_ts_usec":1486012651846910,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":63089,"flow_avg":1201146.5,"flow_max":5143379,"flow_stddev":980479.9,"c_to_s_min":73173,"c_to_s_avg":1140149.2,"c_to_s_max":5143379,"c_to_s_stddev":982887.0,"s_to_c_min":63089,"s_to_c_avg":1290296.1,"s_to_c_max":4101854,"s_to_c_stddev":970076.5},"pktlen": {"c_to_s_min":95,"c_to_s_avg":115.3,"c_to_s_max":290,"c_to_s_stddev":44.4,"s_to_c_min":126,"s_to_c_avg":149.5,"s_to_c_max":323,"s_to_c_stddev":52.2}},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012651592518,"flow_dst_last_pkt_time":1486012651846910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1392,"flow_dst_tot_l4_payload_len":1397,"midstream":0,"thread_ts_usec":1486012651846910,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":63089,"flow_avg":1073977.6,"flow_max":4101854,"flow_stddev":689094.3,"c_to_s_min":73173,"c_to_s_avg":917747.7,"c_to_s_max":1041523,"c_to_s_stddev":282753.7,"s_to_c_min":63089,"s_to_c_avg":1290296.1,"s_to_c_max":4101854,"s_to_c_stddev":970076.5},"pktlen": {"c_to_s_min":95,"c_to_s_avg":115.3,"c_to_s_max":290,"c_to_s_stddev":44.4,"s_to_c_min":126,"s_to_c_avg":149.5,"s_to_c_max":323,"s_to_c_stddev":52.2}},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":369,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1486012730177697,"flow_src_last_pkt_time":1486012730177697,"flow_dst_last_pkt_time":1486012730177697,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":91,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012730177697,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":46961,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00629{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":369,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1486012730177697,"flow_dst_last_pkt_time":1486012730177697,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":133,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":133,"pkt_l4_len":99,"thread_ts_usec":1486012730177697,"pkt":"AhoR+f4q5LMYS\/DDCABFAAB3Lk5AAEARGh\/AqCtbBAICBLdxADUAYz49\/HsBAAABAAAAAAAAOGEwNTcwMGU2ZGE4MzUxMDAwMTYzNmY2ZTczNmY2YzY1MjAyODczNjk3Mjc2Njk2ZDY1NzMyOTAwDHNrdWxsc2VjbGFicwNvcmcAAA8AAQ=="} 01186{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":369,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1486012730177697,"flow_src_last_pkt_time":1486012730177697,"flow_dst_last_pkt_time":1486012730177697,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":91,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012730177697,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":46961,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a05700e6da83510001636f6e736f6c65202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":15,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -41,5 +41,5 @@ ~~ total allocations/frees...: 121842/121842 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 486 chars -~~ json string max len.......: 1601 chars +~~ json string max len.......: 1600 chars ~~ json string avg len.......: 1042 chars diff --git a/test/results/bitcoin.pcap.out b/test/results/bitcoin.pcap.out index 84e3c5efc..983b25573 100644 --- a/test/results/bitcoin.pcap.out +++ b/test/results/bitcoin.pcap.out @@ -10,26 +10,26 @@ 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328089970465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328089970465,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00671{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328090023170,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328090023170,"pkt":"ACNshovhACPrIpS0CABFAACdT81AAHYGdmdFdjZ6wKgBjiCN2CBFUvMhECrU24AYAQRFgAAAAQEICgA8+QknMuFU+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAADZsJBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHtggAQAAAAAAAAAAAAAAAAAAAAAA\/\/9FdjZ6II3xDaOK7c9BwgAGwwEA"} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328090082335,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328090082335,"pkt":"ACNshovhACPrIpS0CABFAABIT85AAHYGdrtFdjZ6wKgBjiCN2CBFUvOKECrU24AYAQQkRgAAAQEICgA8+RAnMuFV+b602XZlcmFjawAAAAAAAAAAAAA="} -01487{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328231627793,"flow_dst_last_pkt_time":1301328234475638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":36033,"midstream":1,"thread_ts_usec":1301328234475638,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13660523.0,"flow_max":150974239,"flow_stddev":37118472.0,"c_to_s_min":141657328,"c_to_s_avg":146315776.0,"c_to_s_max":150974239,"c_to_s_stddev":4658821.5,"s_to_c_min":1,"s_to_c_avg":4816839.0,"s_to_c_max":71059721,"s_to_c_stddev":14724621.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":140.5,"c_to_s_max":171,"c_to_s_stddev":30.5,"s_to_c_min":86,"s_to_c_avg":1267.1,"s_to_c_max":1514,"s_to_c_stddev":517.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328231627793,"flow_dst_last_pkt_time":1301328234475638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":36033,"midstream":1,"thread_ts_usec":1301328234475638,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9231048.0,"flow_max":141657328,"flow_stddev":28184708.0,"c_to_s_min":141657328,"c_to_s_avg":141657328.0,"c_to_s_max":141657328,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":4816839.0,"s_to_c_max":71059721,"s_to_c_stddev":14724621.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":140.5,"c_to_s_max":171,"c_to_s_stddev":30.5,"s_to_c_min":86,"s_to_c_avg":1267.1,"s_to_c_max":1514,"s_to_c_stddev":517.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328319392147,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00676{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328319392147,"pkt":"ACPrIpS0ACNshovhCABFAACdlslAAEAG4RzAqAGOSlm15dg0II2cIEOJr5xIoIAY\/\/\/04QAAAQEICicy6kgDS\/0c+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAAC\/sZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/Slm15SCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII2qu+Pk33arXQC9vgEA"} 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328319392147,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319451340,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328319451340,"pkt":"ACNshovhACPrIpS0CABFAACdR2RAAHYG+oFKWbXlwKgBjiCN2DSvnEignCBD8oAYAQSuQgAAAQEICgNL\/SInMupI+b602XZlcnNpb24AAAAAAFUAAAAAfQAAAQAAAAAAAAC4sZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHtg0AQAAAAAAAAAAAAAAAAAAAAAA\/\/9KWbXlII1O39\/bLGJPkgAHwwEA"} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319554549,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328319554549,"pkt":"ACNshovhACPrIpS0CABFAABIR4lAAHYG+rFKWbXlwKgBjiCN2DSvnEkJnCBD8oAYAQTU7AAAAQEICgNL\/S8nMupI+b602XZlcmFjawAAAAAAAAAAAAA="} -01483{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328419814379,"flow_dst_last_pkt_time":1301328420325069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":204,"flow_dst_tot_l4_payload_len":35103,"midstream":1,"thread_ts_usec":1301328420325069,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":6533583.0,"flow_max":100110670,"flow_stddev":19139748.0,"c_to_s_min":311562,"c_to_s_avg":36047244.0,"c_to_s_max":100110670,"c_to_s_stddev":45400528.0,"s_to_c_min":5,"s_to_c_avg":3480445.5,"s_to_c_max":39766075,"s_to_c_stddev":9569060.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":134.0,"c_to_s_max":171,"c_to_s_stddev":26.5,"s_to_c_min":86,"s_to_c_avg":1276.4,"s_to_c_max":1514,"s_to_c_stddev":520.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01483{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328419814379,"flow_dst_last_pkt_time":1301328420325069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":204,"flow_dst_tot_l4_payload_len":35103,"midstream":1,"thread_ts_usec":1301328420325069,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":6495327.5,"flow_max":100110670,"flow_stddev":19444800.0,"c_to_s_min":311562,"c_to_s_avg":50211116.0,"c_to_s_max":100110670,"c_to_s_stddev":49899552.0,"s_to_c_min":5,"s_to_c_avg":3480445.5,"s_to_c_max":39766075,"s_to_c_stddev":9569060.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":134.0,"c_to_s_max":171,"c_to_s_stddev":26.5,"s_to_c_min":86,"s_to_c_avg":1276.4,"s_to_c_max":1514,"s_to_c_stddev":520.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328472925065,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328472925065,"pkt":"ACPrIpS0ACNshovhCABFAACde+1AAEAGZt3AqAGOQkRTFthXII0tj7Vf9ZidkYAY\/\/+IsAAAAQEICicy8EYAAAAA+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAABYspBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/QkRTFiCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII21Dgd4gTLgpgDgvgEA"} 00982{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328472925065,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472987383,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328472987383,"pkt":"ACNshovhACPrIpS0CABFAACdMqtAAG8GgR9CRFMWwKgBjiCN2Ff1mJ2RLY+1yIAY\/5aM3QAAAQEICgBK7W0nMvBG+b602XZlcnNpb24AAAAAAFUAAACcfAAAAQAAAAAAAABZspBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHthXAQAAAAAAAAAAAAAAAAAAAAAA\/\/9CRFMWII0z3Rs+AfeDdwAHwwEA"} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":203,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328473077893,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328473077893,"pkt":"ACNshovhACPrIpS0CABFAABIMqxAAG8GgXNCRFMWwKgBjiCN2Ff1mJ36LY+1yIAY\/5avrAAAAQEICgBK7W4nMvBG+b602XZlcmFjawAAAAAAAAAAAAA="} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":215,"source":"bitcoin.pcap","alias":"nDPId-test","packets-captured":215,"packets-processed":214,"total-skipped-flows":0,"total-l4-payload-len":260266,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":25,"global_ts_usec":1301328538215424} -01486{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":284,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328607711436,"flow_dst_last_pkt_time":1301328616076718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9102,"flow_dst_tot_l4_payload_len":23653,"midstream":1,"thread_ts_usec":1301328616076718,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":10323346.0,"flow_max":134322478,"flow_stddev":26194846.0,"c_to_s_min":11,"c_to_s_avg":20799492.0,"c_to_s_max":134322478,"c_to_s_stddev":43327888.0,"s_to_c_min":43,"s_to_c_avg":6223984.5,"s_to_c_max":45582876,"s_to_c_stddev":12661871.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":1077.3,"c_to_s_max":1514,"c_to_s_stddev":619.9,"s_to_c_min":86,"s_to_c_avg":1094.4,"s_to_c_max":1514,"s_to_c_stddev":634.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":284,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328607711436,"flow_dst_last_pkt_time":1301328616076718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9102,"flow_dst_tot_l4_payload_len":23653,"midstream":1,"thread_ts_usec":1301328616076718,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":8965742.0,"flow_max":134322478,"flow_stddev":25481870.0,"c_to_s_min":11,"c_to_s_avg":16848296.0,"c_to_s_max":134322478,"c_to_s_stddev":44401144.0,"s_to_c_min":43,"s_to_c_avg":6223984.5,"s_to_c_max":45582876,"s_to_c_stddev":12661871.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":1077.3,"c_to_s_max":1514,"c_to_s_stddev":619.9,"s_to_c_min":86,"s_to_c_avg":1094.4,"s_to_c_max":1514,"s_to_c_stddev":634.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328699728375,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328699728375,"pkt":"ACPrIpS0ACNshovhCABFAACdK9RAAEAGd8TAqAGOw9oQsthoII1BDXcu4yOzE4AY\/\/9L7wAAAQEICicy+R8AACIN+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAAA7s5BNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/w9oQsiCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII38Ree1v7hQ3gC4wAEA"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328699728375,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699856583,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328699856583,"pkt":"ACNshovhACPrIpS0CABFAACdBc9AAHUGaMnD2hCywKgBjiCN2GjjI7MTQQ13l4AYAQQ8gQAAAQEICgAAIhwnMvkf+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAAA4s5BNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHthoAQAAAAAAAAAAAAAAAAAAAAAA\/\/\/D2hCyII0FGo5IhpYwXgAKwwEA"} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699969841,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328699969841,"pkt":"ACNshovhACPrIpS0CABFAABIBdlAAHUGaRTD2hCywKgBjiCN2GjjI7N8QQ13l4AYAQRZWQAAAQEICgAAIignMvkg+b602XZlcmFjawAAAAAAAAAAAAA="} -01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":390,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328741904043,"flow_dst_last_pkt_time":1301328743741542,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5826,"flow_dst_tot_l4_payload_len":27918,"midstream":1,"thread_ts_usec":1301328743741542,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":2772137.8,"flow_max":41186439,"flow_stddev":7850091.0,"c_to_s_min":34,"c_to_s_avg":7449206.5,"c_to_s_max":41186439,"c_to_s_stddev":15110998.0,"s_to_c_min":2317,"s_to_c_avg":1692814.1,"s_to_c_max":17195103,"s_to_c_stddev":4115513.8},"pktlen": {"c_to_s_min":110,"c_to_s_avg":1037.0,"c_to_s_max":1514,"c_to_s_stddev":635.5,"s_to_c_min":86,"s_to_c_avg":1139.8,"s_to_c_max":1514,"s_to_c_stddev":616.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":390,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328741904043,"flow_dst_last_pkt_time":1301328743741542,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5826,"flow_dst_tot_l4_payload_len":27918,"midstream":1,"thread_ts_usec":1301328743741542,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":2780285.0,"flow_max":41186439,"flow_stddev":7975567.0,"c_to_s_min":34,"c_to_s_avg":8435134.0,"c_to_s_max":41186439,"c_to_s_stddev":16376153.0,"s_to_c_min":2317,"s_to_c_avg":1692814.1,"s_to_c_max":17195103,"s_to_c_stddev":4115513.8},"pktlen": {"c_to_s_min":110,"c_to_s_avg":1037.0,"c_to_s_max":1514,"c_to_s_stddev":635.5,"s_to_c_min":86,"s_to_c_avg":1139.8,"s_to_c_max":1514,"s_to_c_stddev":616.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":495,"source":"bitcoin.pcap","alias":"nDPId-test","packets-captured":495,"packets-processed":494,"total-skipped-flows":0,"total-l4-payload-len":520135,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":0,"total-updates":0,"current-active-flows":5,"total-active-flows":5,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":33,"global_ts_usec":1301329138452825} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301329304767401,"flow_src_last_pkt_time":1301329304767401,"flow_dst_last_pkt_time":1301329304767401,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301329304767401,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"184.58.165.119","src_port":55487,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1301329304767401,"flow_dst_last_pkt_time":1301329304767401,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301329304767401,"pkt":"ACPrIpS0ACNshovhCABFAACdDAhAAEAGDmvAqAGOuDqld9i\/II0stRatNDMFDIAY\/\/9S8AAAAQEICiczELoAVdzf+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAACYtZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/uDqldyCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII0b7ZMAlkQ1dwALwwEA"} diff --git a/test/results/bittorrent.pcap.out b/test/results/bittorrent.pcap.out index 95cfef895..66f2442e1 100644 --- a/test/results/bittorrent.pcap.out +++ b/test/results/bittorrent.pcap.out @@ -94,7 +94,7 @@ 00691{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1455469978413724,"flow_dst_last_pkt_time":1455469978662941,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":185,"pkt_l4_len":151,"thread_ts_usec":1455469978662941,"pkt":"xCwDBkn+LFbcjDU0CABFAACrdTRAAHcGzXJf6p8QwKgBA6D1zrlkqPSW1A6dPYAYAMM1JwAAAQEICgIQtLMZ3BteE0JpdFRvcnJlbnQgcHJvdG9jb2wAAAAAABAABdz83M+55nDMw91Ax4wWHyvqJDEmLVVUMzQ1MC3wos5cW3r846cWQCoAAADoFABkMTplaTBlNDppcHY0NDpf6p8QMTI6Y29tcGxldGVfYWdvaTQ1ZTE6bWQxMTo="} 01355{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1455469978413724,"flow_dst_last_pkt_time":1455469978678722,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":587,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":587,"pkt_l4_len":553,"thread_ts_usec":1455469978678722,"pkt":"xCwDBkn+LFbcjDU0CABFAAI9dTZAAHcGy95f6p8QwKgBA6D1zrlkqPUN1A6dPYAZAMPqbAAAAQEICgIQtLMZ3BtedXBsb2FkX29ubHlpM2UxMTpsdF9kb250aGF2ZWk3ZTEyOnV0X2hvbGVwdW5jaGk0ZTExOnV0X21ldGFkYXRhaTJlNjp1dF9wZXhpMWUxMDp1dF9jb21tZW50aTZlZTEzOm1ldGFkYXRhX3NpemVpMTkwMDllMTpwaTQxMjA1ZTQ6cmVxcWkyNTVlMTp2MTU6zrxUb3JyZW50IDMuNC41Mjp5cGk1MjkyMWU2OnlvdXJpcDQ6UjfNAWUAAAB0Bf\/\/\/\/\/7\/\/\/\/\/\/\/\/\/f\/\/\/\/9\/\/\/\/3\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/3\/\/\/\/\/\/\/\/\/\/v7\/\/v\/\/\/\/\/7\/\/3\/f\/\/\/\/\/r\/\/\/v\/\/\/\/9\/\/\/\/\/\/\/\/\/+\/\/\/\/\/3\/7\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/9\/\/\/\/\/9\/\/f\/4AAAAAFBAAAACUAAAAFBAAAAJwAAAAFBAAAArkAAAAFBAAAAfAAAAAFBAAAA3QAAAAFBAAAAosAAAAFBAAAAZ8AAAAFBAAAAdUAAAAFBAAAAqwAAAAFBAAAAhUAAAAFBAAAAM0AAAAFBAAAAk4AAAAFBAAAAIAAAAAFBAAAA4IAAAAFBAAAAF4AAAAFBAAAAi0AAAAFBAAAAVYAAAAFBAAAAZcAAAAFBAAAA1AAAAAFBAAAAeYAAAAFBAAAAa8AAAAFBAAAAhcAAAAFBAAAAw0AAAAFBAAAARs="} 01357{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":85,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1455469978422152,"flow_dst_last_pkt_time":1455469978679019,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":586,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":586,"pkt_l4_len":552,"thread_ts_usec":1455469978679019,"pkt":"xCwDBkn+LFbcjDU0CABFAAI8IwBAAHYG\/QBf7cEiwKgBAyw5zrr6gfxfv4GyU4AZAQJxbQAAAQEICgADmIEZ3BtmcGxvYWRfb25seWkzZTExOmx0X2RvbnRoYXZlaTdlMTI6dXRfaG9sZXB1bmNoaTRlMTE6dXRfbWV0YWRhdGFpMmU2OnV0X3BleGkxZTEwOnV0X2NvbW1lbnRpNmVlMTM6bWV0YWRhdGFfc2l6ZWkxOTAwOWUxOnBpMTEzMjFlNDpyZXFxaTI1NWUxOnYxNTrOvFRvcnJlbnQgMy40LjUyOnlwaTUyOTIyZTY6eW91cmlwNDpSN80BZQAAAHQF\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/+\/\/\/+\/\/7\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/\/\/\/\/v\/\/\/v\/\/v\/\/+P\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/+\/7\/7\/\/\/\/\/\/7\/\/\/\/\/\/v\/\/3+\/\/+\/\/\/\/\/\/\/\/\/\/\/\/\/9\/\/\/7\/\/\/+\/\/\/\/\/\/\/\/\/\/\/\/\/\/+\/\/\/\/\/\/\/\/\/\/3\/\/gAAAAAUEAAACNQAAAAUEAAACYwAAAAUEAAADgAAAAAUEAAAB1wAAAAUEAAAAyQAAAAUEAAABzQAAAAUEAAACUQAAAAUEAAABYQAAAAUEAAACzQAAAAUEAAAApQAAAAUEAAACtgAAAAUEAAACSAAAAAUEAAACDQAAAAUEAAABIQAAAAUEAAABYwAAAAUEAAAC5wAAAAUEAAAAlQAAAAUEAAABYgAAAAUEAAABlQAAAAUEAAADQQAAAAUEAAAB4wAAAAUEAAABOQAAAAUEAAABSwAAAAUEAAAAfQ=="} -01500{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1455469976336620,"flow_src_last_pkt_time":1455469980135637,"flow_dst_last_pkt_time":1455469980194523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":17,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":176,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":904,"flow_dst_tot_l4_payload_len":20536,"midstream":1,"thread_ts_usec":1455469980194523,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"198.100.146.9","src_port":52915,"dst_port":60163,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12043,"flow_avg":277015.2,"flow_max":1207567,"flow_stddev":280433.6,"c_to_s_min":12043,"c_to_s_avg":417215.3,"c_to_s_max":1207567,"c_to_s_stddev":321866.7,"s_to_c_min":12813,"s_to_c_avg":192895.2,"s_to_c_max":919975,"s_to_c_stddev":211660.3},"pktlen": {"c_to_s_min":83,"c_to_s_avg":142.3,"c_to_s_max":242,"c_to_s_stddev":59.3,"s_to_c_min":80,"s_to_c_avg":1092.8,"s_to_c_max":1506,"s_to_c_stddev":551.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01498{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1455469976336620,"flow_src_last_pkt_time":1455469980135637,"flow_dst_last_pkt_time":1455469980194523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":17,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":176,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":904,"flow_dst_tot_l4_payload_len":20536,"midstream":1,"thread_ts_usec":1455469980194523,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"198.100.146.9","src_port":52915,"dst_port":60163,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12043,"flow_avg":246997.4,"flow_max":919975,"flow_stddev":228791.8,"c_to_s_min":12043,"c_to_s_avg":345365.2,"c_to_s_max":779765,"c_to_s_stddev":225979.8,"s_to_c_min":12813,"s_to_c_avg":192895.2,"s_to_c_max":919975,"s_to_c_stddev":211660.3},"pktlen": {"c_to_s_min":83,"c_to_s_avg":142.3,"c_to_s_max":242,"c_to_s_stddev":59.3,"s_to_c_min":80,"s_to_c_avg":1092.8,"s_to_c_max":1506,"s_to_c_stddev":551.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455469980213097,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1455469980213097,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"83.216.184.241","src_port":52927,"dst_port":51413,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00625{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":1455469980213097,"pkt":"LFbcjDU0xCwDBkn+CABFAAB4U25AAEAGAADAqAEDU9i48c6\/yNUzq1kTBM6UFIAYL5vO3wAAAQEIChncIiN4G2eaE0JpdFRvcnJlbnQgcHJvdG9jb2wAAAAAABAABdz83M+55nDMw91Ax4wWHyvqJDEmLVVNMTg2MC1Bjq+Lj4Q+qUQM4PY="} 00941{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455469980213097,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1455469980213097,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"83.216.184.241","src_port":52927,"dst_port":51413,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":"dcfcdccfb9e670ccc3dd40c78c161f2bea243126"}}} diff --git a/test/results/bittorrent_utp.pcap.out b/test/results/bittorrent_utp.pcap.out index 005052426..6b226a3b9 100644 --- a/test/results/bittorrent_utp.pcap.out +++ b/test/results/bittorrent_utp.pcap.out @@ -5,7 +5,7 @@ 01035{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385034843882,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":104,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":104,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1456385034843882,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":""}}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1456385039236076,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1456385039236076,"pkt":"xCwDBkn+LFbcjDU0CABFCACEPR1AAHARR3hS83ErwKgBBf3Jn\/8AcOi+ZDE6YWQyOmlkMjA69\/YAfOoTUG5RTefsvJTyrlFxFfg5OmluZm9faGFzaDIwOvf2AbAuK1Rd0f1URppB\/xHRD5bKZTE6cTk6Z2V0X3BlZXJzMTp0MjoZ4TE6djQ6TFQBATE6eTE6cWU="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1456385040274000,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1456385040274000,"pkt":"xCwDBkn+LFbcjDU0CABFCAAwPfxAAHARRu1S83ErwKgBBf3Jn\/8AHJxJQQBTAhDusvAAAAAAAAAAAOf1AAA="} -01510{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385041276103,"flow_dst_last_pkt_time":1456385041181191,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":14142,"flow_dst_tot_l4_payload_len":872,"midstream":0,"thread_ts_usec":1456385041276103,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":959,"flow_avg":9132663.0,"flow_max":279475674,"flow_stddev":48569460.0,"c_to_s_min":959,"c_to_s_avg":15883772.0,"c_to_s_max":279475674,"c_to_s_stddev":63938280.0,"s_to_c_min":11575,"s_to_c_avg":452664.9,"s_to_c_max":5430275,"s_to_c_stddev":1381123.5},"pktlen": {"c_to_s_min":62,"c_to_s_avg":827.7,"c_to_s_max":1514,"c_to_s_stddev":634.3,"s_to_c_min":62,"s_to_c_avg":104.3,"s_to_c_max":519,"s_to_c_stddev":116.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01501{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385041276103,"flow_dst_last_pkt_time":1456385041181191,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":14142,"flow_dst_tot_l4_payload_len":872,"midstream":0,"thread_ts_usec":1456385041276103,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":959,"flow_avg":411920.3,"flow_max":5430275,"flow_stddev":1202360.0,"c_to_s_min":959,"c_to_s_avg":378365.9,"c_to_s_max":4392194,"c_to_s_stddev":1030943.2,"s_to_c_min":11575,"s_to_c_avg":452664.9,"s_to_c_max":5430275,"s_to_c_stddev":1381123.5},"pktlen": {"c_to_s_min":62,"c_to_s_avg":827.7,"c_to_s_max":1514,"c_to_s_stddev":634.3,"s_to_c_min":62,"s_to_c_avg":104.3,"s_to_c_max":519,"s_to_c_stddev":116.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01058{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":86,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":47,"flow_dst_packets_processed":39,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385044298958,"flow_dst_last_pkt_time":1456385054059812,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":34679,"flow_dst_tot_l4_payload_len":3198,"midstream":0,"thread_ts_usec":1456385054059812,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":86,"source":"bittorrent_utp.pcap","alias":"nDPId-test","packets-captured":86,"packets-processed":86,"total-skipped-flows":0,"total-l4-payload-len":37877,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1456385054059812} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121522/121522 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 485 chars -~~ json string max len.......: 1515 chars -~~ json string avg len.......: 967 chars +~~ json string max len.......: 1506 chars +~~ json string avg len.......: 962 chars diff --git a/test/results/bot.pcap.out b/test/results/bot.pcap.out index 132dcbdca..9dd0435bd 100644 --- a/test/results/bot.pcap.out +++ b/test/results/bot.pcap.out @@ -5,7 +5,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1645108240233170,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":66,"pkt_l4_len":28,"thread_ts_usec":1645108240233579,"pkt":"AAAMB6wytJaRl+L8gQAATQgARQAAMAAAQAA\/BspbWR9I3ChNpyQAUP0AWPWTl7cGye1wEnIQNMAAAAIEBbQBAQQC"} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1645108240339696,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":64,"pkt_l4_len":20,"thread_ts_usec":1645108240339696,"pkt":"AFBWtlQQQFU5D63CgQAATQgARQAAKBFTQABuBooQKE2nJFkfSNz9AABQtwbJ7Vj1k5hQEPrw2KMAAKqq+vDYow=="} 01127{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240339700,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1645108240339700,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"atlanteditorino.it","http": {"url":"atlanteditorino.it\/quartieri\/img\/S.Donato_M.Vittoria1930_B.jpg","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (compatible; bingbot\/2.0; +http:\/\/www.bing.com\/bingbot.htm)","detected_os":"bingbot\/2.0"}}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240455112,"flow_dst_last_pkt_time":1645108240455337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":33120,"midstream":0,"thread_ts_usec":1645108240455337,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":81947592.0,"flow_max":2621878722,"flow_stddev":456185088.0,"c_to_s_min":4,"c_to_s_avg":374585824.0,"c_to_s_max":2621878722,"c_to_s_stddev":917453440.0,"s_to_c_min":4,"s_to_c_avg":8886.7,"s_to_c_max":106682,"s_to_c_stddev":28682.5},"pktlen": {"c_to_s_min":64,"c_to_s_avg":108.6,"c_to_s_max":374,"c_to_s_stddev":108.4,"s_to_c_min":64,"s_to_c_avg":1383.4,"s_to_c_max":1498,"s_to_c_stddev":388.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240455112,"flow_dst_last_pkt_time":1645108240455337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":33120,"midstream":0,"thread_ts_usec":1645108240455337,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":14326.1,"flow_max":114244,"flow_stddev":36180.2,"c_to_s_min":4,"c_to_s_avg":36990.3,"c_to_s_max":114244,"c_to_s_stddev":51946.2,"s_to_c_min":4,"s_to_c_avg":8886.7,"s_to_c_max":106682,"s_to_c_stddev":28682.5},"pktlen": {"c_to_s_min":64,"c_to_s_avg":108.6,"c_to_s_max":374,"c_to_s_stddev":108.4,"s_to_c_min":64,"s_to_c_avg":1383.4,"s_to_c_max":1498,"s_to_c_stddev":388.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00915{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":402,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":115,"flow_dst_packets_processed":287,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108245896135,"flow_dst_last_pkt_time":1645108245896491,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":406780,"midstream":0,"thread_ts_usec":1645108245896491,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":402,"source":"bot.pcap","alias":"nDPId-test","packets-captured":402,"packets-processed":402,"total-skipped-flows":0,"total-l4-payload-len":407096,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1645108245896491} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121841/121841 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1363 chars -~~ json string avg len.......: 890 chars +~~ json string max len.......: 1340 chars +~~ json string avg len.......: 881 chars diff --git a/test/results/capwap.pcap.out b/test/results/capwap.pcap.out index 0d5855116..93f212fc7 100644 --- a/test/results/capwap.pcap.out +++ b/test/results/capwap.pcap.out @@ -28,7 +28,7 @@ 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":21,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329005767224,"flow_dst_last_pkt_time":1422329005767224,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":114,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":114,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":114,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329005767224,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00645{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1422329005767984,"flow_dst_last_pkt_time":1422329005767224,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":156,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":156,"pkt_l4_len":122,"thread_ts_usec":1422329005767984,"pkt":"uDhh8wWsJOmzR64gCABFwACOANsAAH8RpGDAqAoJwKgKChR+MFwAegAAABACAAAAAAAAAAACAABlAAABACQAAAPoAAAABQIBAAMAQJYAAAEABAcFZgAAQJYAAAAABAEAAAEABAAJQ2lzY28yNTA0BBgABQAAAAAAAAoABsCoCgkAAAAlAAcAQJYAANAAACUACwBAlgAAl1THBF8A"} 00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1422329005767984,"flow_dst_last_pkt_time":1422329015765658,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"thread_ts_usec":1422329015765658,"pkt":"JOmzR64guDhh8wWsCABFwABlAAVAAP8R5V7AqAoKwKgKCTBcFH4AURfgAQAAABb+\/wAAAAAAAAAAADgBAAAsAAAAAAAAACz+\/1Z4mrz13vIlLHFGU8KNmBPwkXkcj0vpbAEOfTafYoZSAAAABAAvADMBAA=="} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329016659899,"flow_dst_last_pkt_time":1422329016659404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":8579,"flow_dst_tot_l4_payload_len":6468,"midstream":0,"thread_ts_usec":1422329016659899,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":726190.7,"flow_max":10093423,"flow_stddev":2492721.0,"c_to_s_min":1,"c_to_s_avg":640796.5,"c_to_s_max":10093423,"c_to_s_stddev":2365189.8,"s_to_c_min":1,"s_to_c_avg":837860.0,"s_to_c_max":9998434,"s_to_c_stddev":2646094.0},"pktlen": {"c_to_s_min":106,"c_to_s_avg":546.6,"c_to_s_max":1499,"c_to_s_stddev":501.4,"s_to_c_min":115,"s_to_c_avg":473.2,"s_to_c_max":1499,"s_to_c_stddev":463.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329016659899,"flow_dst_last_pkt_time":1422329016659404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":8579,"flow_dst_tot_l4_payload_len":6468,"midstream":0,"thread_ts_usec":1422329016659899,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":751201.9,"flow_max":10093423,"flow_stddev":2531631.0,"c_to_s_min":1,"c_to_s_avg":680792.2,"c_to_s_max":10093423,"c_to_s_stddev":2432398.2,"s_to_c_min":1,"s_to_c_avg":837860.0,"s_to_c_max":9998434,"s_to_c_stddev":2646094.0},"pktlen": {"c_to_s_min":106,"c_to_s_avg":546.6,"c_to_s_max":1499,"c_to_s_stddev":501.4,"s_to_c_min":115,"s_to_c_avg":473.2,"s_to_c_max":1499,"s_to_c_stddev":463.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329017533285,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1422329017533285,"pkt":"JOmzR64guDhh8wWsCABFwABsAAFAAEARpFzAqAoKwKgKCTBcFH8AWAAAACADIAAAAAABBAAAAAAAAABAAABYCiBpDiAAAAAAAABYCiBpDiAAAN0JAECWJQEFKDMU3RsAQJYlAAEcq6fyE50AAEcACwAFJ\/9UIA8C1d0="} 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329017533285,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -36,7 +36,7 @@ 00838{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":118,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1422329018533282,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":296,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":296,"pkt_l4_len":262,"thread_ts_usec":1422329018533282,"pkt":"JOmzR64guDhh8wWsCABFwAEaAANAAEARo6zAqAoKwKgKCTBcFH8BBgAAACADIAAAAAABBAAAAAAAAABAAABYCiBpDiAAAAAAAABYCiBpDiAAAN0JAECWJQEFN3Va3RsAQJYlAAEcq6fyE50AACMACwAFMGt3IAoC5+ndGwBAliUAARyrp\/ITnQAAEwALAAUwdLNADQLo6d0bAECWJQABZICZPC30AAADAAsABTJ3KPD9AqWm3RsAQJYlAAH4Ht\/dIQ8AAB8ACwAFNejwUJoCvcLdGwBAliUAAfge390hDwAAEgALAAU2FOxglQK9wt0bAECWJQAB+B7f3SEPAAAcAAsABTZHxnCRAr\/A3RsAQJYlAAH4Ht\/dIQ8AAAcACwAFN246sJsCvr4="} 00186{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":192,"source":"capwap.pcap","alias":"nDPId-test","layer_type":375,"global_ts_usec":1422329034072795} 00793{"packet_event_id":1,"packet_event_name":"packet","packet_id":192,"source":"capwap.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":389,"pkt_type":375,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":389,"pkt_l4_len":0,"thread_ts_usec":1422329034032779,"pkt":"AQAMzMzMuDhh8wWsAXeqqgMAAAwgAAK0KHQAAQAUQVBiODM4LjYxZjMuMDVhYwAFAPJDaXNjbyBJT1MgU29mdHdhcmUsIEMyNjAwIFNvZnR3YXJlIChBUDNHMi1LOVc4LU0pLCBWZXJzaW9uIDE1LjIoNClKQTEsIFJFTEVBU0UgU09GVFdBUkUgKGZjMikKVGVjaG5pY2FsIFN1cHBvcnQ6IGh0dHA6Ly93d3cuY2lzY28uY29tL3RlY2hzdXBwb3J0CkNvcHlyaWdodCAoYykgMTk4Ni0yMDEzIGJ5IENpc2NvIFN5c3RlbXMsIEluYy4KQ29tcGlsZWQgVHVlIDMwLUp1bC0xMyAyMjo1NyBieSBwcm9kX3JlbF90ZWFtAAYAG2Npc2NvIEFJUi1DQVAyNjAySS1RLUs5AAIAEQAAAAEBAcwABMCoCgoAAwAWR2lnYWJpdEV0aGVybmV0MC4xAAQACAAAAAMACwAFAQAQAAY8KAAZABCkjQABAAA8KAAAMsg="} -01329{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329049032294,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":283,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4909,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329049032294,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":499857,"flow_avg":1009552.0,"flow_max":3999845,"flow_stddev":862094.7,"c_to_s_min":499857,"c_to_s_avg":1009552.0,"c_to_s_max":3999845,"c_to_s_stddev":862094.7,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":122,"c_to_s_avg":195.4,"c_to_s_max":325,"c_to_s_stddev":58.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01329{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329049032294,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":283,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4909,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329049032294,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":499857,"flow_avg":1016097.1,"flow_max":3999845,"flow_stddev":875106.2,"c_to_s_min":499857,"c_to_s_avg":1016097.1,"c_to_s_max":3999845,"c_to_s_stddev":875106.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":122,"c_to_s_avg":195.4,"c_to_s_max":325,"c_to_s_stddev":58.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00186{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":293,"source":"capwap.pcap","alias":"nDPId-test","layer_type":375,"global_ts_usec":1422329091711112} 00793{"packet_event_id":1,"packet_event_name":"packet","packet_id":293,"source":"capwap.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":389,"pkt_type":375,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":389,"pkt_l4_len":0,"thread_ts_usec":1422329090053500,"pkt":"AQAMzMzMuDhh8wWsAXeqqgMAAAwgAAK0KHQAAQAUQVBiODM4LjYxZjMuMDVhYwAFAPJDaXNjbyBJT1MgU29mdHdhcmUsIEMyNjAwIFNvZnR3YXJlIChBUDNHMi1LOVc4LU0pLCBWZXJzaW9uIDE1LjIoNClKQTEsIFJFTEVBU0UgU09GVFdBUkUgKGZjMikKVGVjaG5pY2FsIFN1cHBvcnQ6IGh0dHA6Ly93d3cuY2lzY28uY29tL3RlY2hzdXBwb3J0CkNvcHlyaWdodCAoYykgMTk4Ni0yMDEzIGJ5IENpc2NvIFN5c3RlbXMsIEluYy4KQ29tcGlsZWQgVHVlIDMwLUp1bC0xMyAyMjo1NyBieSBwcm9kX3JlbF90ZWFtAAYAG2Npc2NvIEFJUi1DQVAyNjAySS1RLUs5AAIAEQAAAAEBAcwABMCoCgoAAwAWR2lnYWJpdEV0aGVybmV0MC4xAAQACAAAAAMACwAFAQAQAAY8KAAZABCkjQABAAA8KAAAMsg="} 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":358,"source":"capwap.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1422329136181809,"flow_dst_last_pkt_time":1422329005766358,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1422329136181809,"pkt":"\/\/\/\/\/\/\/\/uDhh8wWsCABFwACXAGlAAP8Rr3rAqAoK\/\/\/\/\/zBcFH4AgwAAACACEAAAAAAGWAogaQ4g\/wAAABMAAGYAABQAAQEAJwAoAgIAAQBAlgAAAAAEAQAAAABAlgAAAQAEBwVmAABAlgAAAgAEDAQZAAApAAEEACwAAQEAJQAKAECWAADPAQAAAQAlABYAQJYAAAVBUGI4MzguNjFmMy4wNWFj"} diff --git a/test/results/cassandra.pcap.out b/test/results/cassandra.pcap.out index ec87b04f6..e88d251b2 100644 --- a/test/results/cassandra.pcap.out +++ b/test/results/cassandra.pcap.out @@ -10,8 +10,8 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1450889498074112,"flow_dst_last_pkt_time":1450889498074125,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1450889498074125,"pkt":"AAAAAAAAAAAAAAAACABFAAA8AABAAEAGPLp\/AAABfwAAASNStckXl5aGpl5H6aASqqr+MAAAAgT\/1wQCCAon7JNsJ+yTbAEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1450889498074133,"flow_dst_last_pkt_time":1450889498074125,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1450889498074133,"pkt":"AAAAAAAAAAAAAAAACABFAAA01IVAAEAGaDx\/AAABfwAAAbXJI1KmXkfpF5eWh4AQAVb+KAAAAQEICifsk2wn7JNs"} 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":4,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889498080407,"flow_dst_last_pkt_time":1450889498080853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":61,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1450889498080853,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} -01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889525230546,"flow_dst_last_pkt_time":1450889525227132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":321,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":938,"flow_dst_tot_l4_payload_len":59385,"midstream":0,"thread_ts_usec":1450889525230546,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":73599864.0,"flow_max":2300803259,"flow_stddev":400066656.0,"c_to_s_min":19,"c_to_s_avg":136941248.0,"c_to_s_max":2300803259,"c_to_s_stddev":540999808.0,"s_to_c_min":11,"s_to_c_avg":1812969.6,"s_to_c_max":25963183,"s_to_c_stddev":6461345.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.6,"c_to_s_max":387,"c_to_s_stddev":77.9,"s_to_c_min":66,"s_to_c_avg":4025.5,"s_to_c_max":25214,"s_to_c_stddev":8138.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} -01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":66,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889535475611,"flow_dst_last_pkt_time":1450889531765769,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":794,"flow_dst_tot_l4_payload_len":12001,"midstream":0,"thread_ts_usec":1450889535475611,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":2222296.0,"flow_max":25937061,"flow_stddev":6417072.5,"c_to_s_min":21,"c_to_s_avg":2078989.5,"c_to_s_max":25897068,"c_to_s_stddev":6080335.0,"s_to_c_min":13,"s_to_c_avg":2406546.8,"s_to_c_max":25937061,"s_to_c_stddev":6821231.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.6,"c_to_s_max":291,"c_to_s_stddev":58.8,"s_to_c_min":66,"s_to_c_avg":923.8,"s_to_c_max":11512,"s_to_c_stddev":2937.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} +01362{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889525230546,"flow_dst_last_pkt_time":1450889525227132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":321,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":938,"flow_dst_tot_l4_payload_len":59385,"midstream":0,"thread_ts_usec":1450889525230546,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":1754596.9,"flow_max":26002233,"flow_stddev":6369210.5,"c_to_s_min":19,"c_to_s_avg":1699872.5,"c_to_s_max":26002233,"c_to_s_stddev":6281113.5,"s_to_c_min":11,"s_to_c_avg":1812969.6,"s_to_c_max":25963183,"s_to_c_stddev":6461345.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.6,"c_to_s_max":387,"c_to_s_stddev":77.9,"s_to_c_min":66,"s_to_c_avg":4025.5,"s_to_c_max":25214,"s_to_c_stddev":8138.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} +01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":66,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889535475611,"flow_dst_last_pkt_time":1450889531765769,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":794,"flow_dst_tot_l4_payload_len":12001,"midstream":0,"thread_ts_usec":1450889535475611,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":2293327.5,"flow_max":25937061,"flow_stddev":6507358.0,"c_to_s_min":21,"c_to_s_avg":2200088.2,"c_to_s_max":25897068,"c_to_s_stddev":6235482.5,"s_to_c_min":13,"s_to_c_avg":2406546.8,"s_to_c_max":25937061,"s_to_c_stddev":6821231.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.6,"c_to_s_max":291,"c_to_s_stddev":58.8,"s_to_c_min":66,"s_to_c_avg":923.8,"s_to_c_max":11512,"s_to_c_stddev":2937.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":75,"flow_dst_packets_processed":69,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889698077770,"flow_dst_last_pkt_time":1450889698077758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":4772,"flow_dst_tot_l4_payload_len":73452,"midstream":0,"thread_ts_usec":1450889698077770,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":74,"flow_dst_packets_processed":68,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889698077769,"flow_dst_last_pkt_time":1450889698077759,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":333,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":4963,"flow_dst_tot_l4_payload_len":23921,"midstream":0,"thread_ts_usec":1450889698077770,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","packets-captured":286,"packets-processed":286,"total-skipped-flows":0,"total-l4-payload-len":107108,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1450889698077770} @@ -28,5 +28,5 @@ ~~ total allocations/frees...: 121732/121732 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 480 chars -~~ json string max len.......: 1378 chars -~~ json string avg len.......: 921 chars +~~ json string max len.......: 1367 chars +~~ json string avg len.......: 915 chars diff --git a/test/results/check_mk_new.pcap.out b/test/results/check_mk_new.pcap.out index 88ae1c245..77617028d 100644 --- a/test/results/check_mk_new.pcap.out +++ b/test/results/check_mk_new.pcap.out @@ -5,7 +5,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1512031663734797,"flow_dst_last_pkt_time":1512031663734824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1512031663734824,"pkt":"8soKyPpERjIA9qTsCABFAAA8AABAAEAG8SLAqGQywKhkFhmc5nZuqQJN1XLoOKAScSBJyAAAAgQFtAQCCAoWUVydKwxrPwEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1512031663734985,"flow_dst_last_pkt_time":1512031663734824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1512031663734985,"pkt":"RjIA9qTs8soKyPpECABFEAA0gwlAAEAGbhHAqGQWwKhkMuZ2GZzVcug4bqkCToAQAOVJwAAAAQEICisMaz8WUVyd"} 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663734985,"flow_dst_last_pkt_time":1512031663736952,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":15,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":15,"midstream":0,"thread_ts_usec":1512031663736952,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} -01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663748376,"flow_dst_last_pkt_time":1512031663748413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":502,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1376,"midstream":0,"thread_ts_usec":1512031663748413,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":27,"flow_avg":41003336.0,"flow_max":1312079613,"flow_stddev":228292032.0,"c_to_s_min":68,"c_to_s_avg":82005824.0,"c_to_s_max":1312079613,"c_to_s_stddev":317603680.0,"s_to_c_min":27,"s_to_c_avg":851.0,"s_to_c_max":2128,"s_to_c_stddev":817.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":66.5,"c_to_s_max":74,"c_to_s_stddev":1.9,"s_to_c_min":67,"s_to_c_avg":152.5,"s_to_c_max":568,"s_to_c_stddev":153.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +01326{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663748376,"flow_dst_last_pkt_time":1512031663748413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":502,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1376,"midstream":0,"thread_ts_usec":1512031663748413,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":27,"flow_avg":877.3,"flow_max":2128,"flow_stddev":812.2,"c_to_s_min":68,"c_to_s_avg":905.3,"c_to_s_max":2061,"c_to_s_stddev":805.1,"s_to_c_min":27,"s_to_c_avg":851.0,"s_to_c_max":2128,"s_to_c_stddev":817.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":66.5,"c_to_s_max":74,"c_to_s_stddev":1.9,"s_to_c_min":67,"s_to_c_avg":152.5,"s_to_c_max":568,"s_to_c_stddev":153.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00923{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":98,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":49,"flow_dst_packets_processed":49,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663775626,"flow_dst_last_pkt_time":1512031663775645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":4096,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":13758,"midstream":0,"thread_ts_usec":1512031663775645,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":98,"source":"check_mk_new.pcap","alias":"nDPId-test","packets-captured":98,"packets-processed":98,"total-skipped-flows":0,"total-l4-payload-len":13758,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1512031663775645} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121532/121532 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 483 chars -~~ json string max len.......: 1365 chars -~~ json string avg len.......: 889 chars +~~ json string max len.......: 1331 chars +~~ json string avg len.......: 874 chars diff --git a/test/results/chrome.pcap.out b/test/results/chrome.pcap.out index 2999d2f44..6d7e20bd4 100644 --- a/test/results/chrome.pcap.out +++ b/test/results/chrome.pcap.out @@ -11,7 +11,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1620902508740717,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620902508769205,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7+4peZebaYG3EqKAS\/og23AAAAgQFrAQCCAo6mxi5M3SVkQEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1620902508769277,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620902508769277,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EvuKAbtgbcSoXmXm24AQECxT5gAAAQEICjN0lag6mxi5"} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902508769889,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902508769889,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902508741011,"flow_dst_last_pkt_time":1620902508774460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1998,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620902508774460,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":103967840.0,"flow_max":3325196153,"flow_stddev":578549760.0,"c_to_s_min":3,"c_to_s_avg":237576208.0,"c_to_s_max":3325196153,"c_to_s_stddev":856351680.0,"s_to_c_min":11,"s_to_c_avg":50228.6,"s_to_c_max":627868,"s_to_c_stddev":144914.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":209.6,"c_to_s_max":816,"c_to_s_stddev":263.4,"s_to_c_min":66,"s_to_c_avg":938.2,"s_to_c_max":1506,"s_to_c_stddev":652.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902508741011,"flow_dst_last_pkt_time":1620902508774460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1998,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620902508774460,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":57251.0,"flow_max":629043,"flow_stddev":154280.9,"c_to_s_min":3,"c_to_s_avg":66974.3,"c_to_s_max":629043,"c_to_s_stddev":165891.0,"s_to_c_min":11,"s_to_c_avg":50228.6,"s_to_c_max":627868,"s_to_c_stddev":144914.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":209.6,"c_to_s_max":816,"c_to_s_stddev":263.4,"s_to_c_min":66,"s_to_c_avg":938.2,"s_to_c_max":1506,"s_to_c_stddev":652.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01140{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902508769889,"flow_dst_last_pkt_time":1620902508800346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902508800346,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":74,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509272814,"flow_dst_last_pkt_time":1620902509272814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509272814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1620902509272814,"flow_dst_last_pkt_time":1620902509272814,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620902509272814,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EvuYAbvjd2YSAAAAALAC\/\/+WlQAAAgQFtAEDAwUBAQgKM3SXeAAAAAAEAgAA"} @@ -33,19 +33,19 @@ 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":115,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509303683,"flow_dst_last_pkt_time":1620902509302592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509303683,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":116,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509304055,"flow_dst_last_pkt_time":1620902509302720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509304055,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":117,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509304589,"flow_dst_last_pkt_time":1620902509303215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509304589,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":111,"flow_avg":40888.3,"flow_max":468764,"flow_stddev":109821.7,"c_to_s_min":182,"c_to_s_avg":48076.6,"c_to_s_max":441785,"c_to_s_stddev":110128.0,"s_to_c_min":111,"s_to_c_avg":34545.8,"s_to_c_max":468764,"s_to_c_stddev":109158.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":209.2,"c_to_s_max":783,"c_to_s_stddev":272.3,"s_to_c_min":66,"s_to_c_avg":1003.3,"s_to_c_max":1506,"s_to_c_stddev":636.5}}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":111,"flow_avg":37950.2,"flow_max":468764,"flow_stddev":110334.2,"c_to_s_min":182,"c_to_s_avg":42084.2,"c_to_s_max":441785,"c_to_s_stddev":111605.8,"s_to_c_min":111,"s_to_c_avg":34545.8,"s_to_c_max":468764,"s_to_c_stddev":109158.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":209.2,"c_to_s_max":783,"c_to_s_stddev":272.3,"s_to_c_min":66,"s_to_c_avg":1003.3,"s_to_c_max":1506,"s_to_c_stddev":636.5}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01141{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509303389,"flow_dst_last_pkt_time":1620902509333977,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902509333977,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01141{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":132,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509303683,"flow_dst_last_pkt_time":1620902509335101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902509335101,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01143{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":136,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509304589,"flow_dst_last_pkt_time":1620902509338226,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620902509338226,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01143{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":143,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509304055,"flow_dst_last_pkt_time":1620902509342220,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620902509342220,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01192{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":20577.2,"flow_max":447564,"flow_stddev":78737.7,"c_to_s_min":11,"c_to_s_avg":33999.4,"c_to_s_max":447564,"c_to_s_stddev":107381.9,"s_to_c_min":2,"s_to_c_avg":6260.3,"s_to_c_max":28249,"s_to_c_stddev":10762.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":195.3,"c_to_s_max":820,"c_to_s_stddev":259.0,"s_to_c_min":66,"s_to_c_avg":890.1,"s_to_c_max":1506,"s_to_c_stddev":638.5}}} +01187{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":6344.3,"flow_max":34983,"flow_stddev":11244.6,"c_to_s_min":11,"c_to_s_avg":6428.4,"c_to_s_max":34983,"c_to_s_stddev":11706.7,"s_to_c_min":2,"s_to_c_avg":6260.3,"s_to_c_max":28249,"s_to_c_stddev":10762.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":195.3,"c_to_s_max":820,"c_to_s_stddev":259.0,"s_to_c_min":66,"s_to_c_avg":890.1,"s_to_c_max":1506,"s_to_c_stddev":638.5}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":114,"flow_avg":21492.4,"flow_max":444309,"flow_stddev":76866.7,"c_to_s_min":243,"c_to_s_avg":43479.4,"c_to_s_max":444309,"c_to_s_stddev":116404.2,"s_to_c_min":114,"s_to_c_avg":6448.7,"s_to_c_max":29278,"s_to_c_stddev":11092.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":176.2,"c_to_s_max":772,"c_to_s_stddev":240.2,"s_to_c_min":66,"s_to_c_avg":1081.3,"s_to_c_max":1506,"s_to_c_stddev":629.5}}} +01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":114,"flow_avg":7853.2,"flow_max":30653,"flow_stddev":12089.6,"c_to_s_min":243,"c_to_s_avg":10076.9,"c_to_s_max":30653,"c_to_s_stddev":13216.9,"s_to_c_min":114,"s_to_c_avg":6448.7,"s_to_c_max":29278,"s_to_c_stddev":11092.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":176.2,"c_to_s_max":772,"c_to_s_stddev":240.2,"s_to_c_min":66,"s_to_c_avg":1081.3,"s_to_c_max":1506,"s_to_c_stddev":629.5}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":20963.0,"flow_max":445152,"flow_stddev":77134.9,"c_to_s_min":3,"c_to_s_avg":38954.9,"c_to_s_max":445152,"c_to_s_stddev":113382.1,"s_to_c_min":14,"s_to_c_avg":6969.3,"s_to_c_max":29880,"s_to_c_stddev":11449.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":159.9,"c_to_s_max":772,"c_to_s_stddev":215.3,"s_to_c_min":66,"s_to_c_avg":1019.3,"s_to_c_max":1506,"s_to_c_stddev":629.5}}} +01188{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":7279.5,"flow_max":38324,"flow_stddev":12250.6,"c_to_s_min":3,"c_to_s_avg":7708.9,"c_to_s_max":38324,"c_to_s_stddev":13268.7,"s_to_c_min":14,"s_to_c_avg":6969.3,"s_to_c_max":29880,"s_to_c_stddev":11449.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":159.9,"c_to_s_max":772,"c_to_s_stddev":215.3,"s_to_c_min":66,"s_to_c_avg":1019.3,"s_to_c_max":1506,"s_to_c_stddev":629.5}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01192{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":21769.6,"flow_max":443932,"flow_stddev":76862.0,"c_to_s_min":98,"c_to_s_avg":38173.0,"c_to_s_max":443932,"c_to_s_stddev":109176.1,"s_to_c_min":1,"s_to_c_avg":7296.0,"s_to_c_max":32013,"s_to_c_stddev":12508.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":208.8,"c_to_s_max":775,"c_to_s_stddev":271.4,"s_to_c_min":66,"s_to_c_avg":989.8,"s_to_c_max":1506,"s_to_c_stddev":638.3}}} +01187{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8151.5,"flow_max":32013,"flow_stddev":12799.0,"c_to_s_min":98,"c_to_s_avg":9190.2,"c_to_s_max":31460,"c_to_s_stddev":13068.2,"s_to_c_min":1,"s_to_c_avg":7296.0,"s_to_c_max":32013,"s_to_c_stddev":12508.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":208.8,"c_to_s_max":775,"c_to_s_stddev":271.4,"s_to_c_min":66,"s_to_c_avg":989.8,"s_to_c_max":1506,"s_to_c_stddev":638.3}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5633,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":374,"flow_dst_packets_processed":488,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902514626667,"flow_dst_last_pkt_time":1620902514626583,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6885,"flow_dst_tot_l4_payload_len":681088,"midstream":0,"thread_ts_usec":1620902515049384,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5633,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":472,"flow_dst_packets_processed":662,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902515037845,"flow_dst_last_pkt_time":1620902515037814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":726,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6421,"flow_dst_tot_l4_payload_len":923694,"midstream":0,"thread_ts_usec":1620902515049384,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -67,5 +67,5 @@ ~~ total allocations/frees...: 127194/127194 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1354 chars -~~ json string avg len.......: 914 chars +~~ json string max len.......: 1332 chars +~~ json string avg len.......: 903 chars diff --git a/test/results/coap_mqtt.pcap.out b/test/results/coap_mqtt.pcap.out index b5934d7bb..257d16d72 100644 --- a/test/results/coap_mqtt.pcap.out +++ b/test/results/coap_mqtt.pcap.out @@ -65,29 +65,29 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1455907271483430,"flow_dst_last_pkt_time":1455907271485428,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1455907271485428,"pkt":"CAAnmO\/hCAAnAERyCABFAAAsEMdAAIAG+E3AqDgBwKg4ZdEURF3FmLqAlt6Sd1AYAP++LAAAQAIAAgAA"} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1455907271522028,"flow_dst_last_pkt_time":1455907271485428,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1455907271522028,"pkt":"CAAnAERyCAAnmO\/hCABFAAAo1KhAAEAGdHDAqDhlwKg4AURd0RSW3pJ3xZi6hFAQAOXx0QAA"} 00626{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1455907271585820,"flow_dst_last_pkt_time":1455907271483762,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"thread_ts_usec":1455907271585820,"pkt":"CAAnmO\/hCAAnAERyCABFAAB7EM0AAIARN+7AqDgBwKg4ZcSHRFwAZzJrQgM1Anj4ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjExIEVFVCAyMDE2In0="} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1455907267002212,"flow_src_last_pkt_time":1455907271697274,"flow_dst_last_pkt_time":1455907271735420,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":286,"flow_dst_tot_l4_payload_len":367,"midstream":0,"thread_ts_usec":1455907271735420,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53528,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":565572.8,"flow_max":8670060,"flow_stddev":1791486.4,"c_to_s_min":248,"c_to_s_avg":891008.1,"c_to_s_max":8670060,"c_to_s_stddev":2328258.8,"s_to_c_min":72,"s_to_c_avg":278424.0,"s_to_c_max":4438876,"s_to_c_stddev":1040343.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":76.3,"c_to_s_max":114,"c_to_s_stddev":23.1,"s_to_c_min":54,"s_to_c_avg":76.3,"s_to_c_max":140,"s_to_c_stddev":35.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":162,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907243976582,"flow_src_last_pkt_time":1455907271915318,"flow_dst_last_pkt_time":1455907271915135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53522,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":130,"flow_avg":68423112.0,"flow_max":2133662333,"flow_stddev":370986976.0,"c_to_s_min":1247,"c_to_s_avg":154400080.0,"c_to_s_max":2133662333,"c_to_s_stddev":548993216.0,"s_to_c_min":130,"s_to_c_avg":1552141.8,"s_to_c_max":27505948,"s_to_c_stddev":6294776.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":75.4,"c_to_s_max":114,"c_to_s_stddev":24.4,"s_to_c_min":54,"s_to_c_avg":78.9,"s_to_c_max":140,"s_to_c_stddev":37.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01484{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":163,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907258332152,"flow_src_last_pkt_time":1455907271915337,"flow_dst_last_pkt_time":1455907271915223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915337,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53523,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":237,"flow_avg":1297557.0,"flow_max":14355570,"flow_stddev":3925075.0,"c_to_s_min":773,"c_to_s_avg":1995625.4,"c_to_s_max":14355570,"c_to_s_stddev":4767105.5,"s_to_c_min":237,"s_to_c_avg":754615.1,"s_to_c_max":13150790,"s_to_c_stddev":3006626.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":75.4,"c_to_s_max":114,"c_to_s_stddev":24.4,"s_to_c_min":54,"s_to_c_avg":78.9,"s_to_c_max":140,"s_to_c_stddev":37.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01476{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":184,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1455907271483430,"flow_src_last_pkt_time":1455907271957948,"flow_dst_last_pkt_time":1455907271958031,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":60,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":320,"midstream":1,"thread_ts_usec":1455907271958031,"l3_proto":"ip4","src_ip":"192.168.56.101","dst_ip":"192.168.56.1","src_port":17501,"dst_port":53524,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":156,"flow_avg":440624.8,"flow_max":13150874,"flow_stddev":2282979.8,"c_to_s_min":156,"c_to_s_avg":756966.2,"c_to_s_max":13150874,"c_to_s_stddev":3006072.2,"s_to_c_min":665,"s_to_c_avg":33900.1,"s_to_c_max":73508,"s_to_c_stddev":26969.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":78.8,"c_to_s_max":140,"c_to_s_stddev":38.0,"s_to_c_min":60,"s_to_c_avg":79.3,"s_to_c_max":114,"s_to_c_stddev":25.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1455907267002212,"flow_src_last_pkt_time":1455907271697274,"flow_dst_last_pkt_time":1455907271735420,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":286,"flow_dst_tot_l4_payload_len":367,"midstream":0,"thread_ts_usec":1455907271735420,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53528,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":304137.8,"flow_max":4438876,"flow_stddev":1061040.8,"c_to_s_min":248,"c_to_s_avg":335361.6,"c_to_s_max":4242440,"c_to_s_stddev":1084823.4,"s_to_c_min":72,"s_to_c_avg":278424.0,"s_to_c_max":4438876,"s_to_c_stddev":1040343.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":76.3,"c_to_s_max":114,"c_to_s_stddev":23.1,"s_to_c_min":54,"s_to_c_avg":76.3,"s_to_c_max":140,"s_to_c_stddev":35.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":162,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907243976582,"flow_src_last_pkt_time":1455907271915318,"flow_dst_last_pkt_time":1455907271915135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53522,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":130,"flow_avg":1802493.1,"flow_max":27505948,"flow_stddev":6724537.0,"c_to_s_min":1247,"c_to_s_avg":2149133.5,"c_to_s_max":27310358,"c_to_s_stddev":7263584.0,"s_to_c_min":130,"s_to_c_avg":1552141.8,"s_to_c_max":27505948,"s_to_c_stddev":6294776.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":75.4,"c_to_s_max":114,"c_to_s_stddev":24.4,"s_to_c_min":54,"s_to_c_avg":78.9,"s_to_c_max":140,"s_to_c_stddev":37.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +01483{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":163,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907258332152,"flow_src_last_pkt_time":1455907271915337,"flow_dst_last_pkt_time":1455907271915223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915337,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53523,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":237,"flow_avg":876330.8,"flow_max":13150790,"flow_stddev":3197714.5,"c_to_s_min":773,"c_to_s_avg":1044860.4,"c_to_s_max":12952309,"c_to_s_stddev":3437736.8,"s_to_c_min":237,"s_to_c_avg":754615.1,"s_to_c_max":13150790,"s_to_c_stddev":3006626.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":75.4,"c_to_s_max":114,"c_to_s_stddev":24.4,"s_to_c_min":54,"s_to_c_avg":78.9,"s_to_c_max":140,"s_to_c_stddev":37.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +01464{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":184,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1455907271483430,"flow_src_last_pkt_time":1455907271957948,"flow_dst_last_pkt_time":1455907271958031,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":60,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":320,"midstream":1,"thread_ts_usec":1455907271958031,"l3_proto":"ip4","src_ip":"192.168.56.101","dst_ip":"192.168.56.1","src_port":17501,"dst_port":53524,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":156,"flow_avg":30616.7,"flow_max":73508,"flow_stddev":26730.8,"c_to_s_min":156,"c_to_s_avg":27912.8,"c_to_s_max":67273,"c_to_s_stddev":26225.9,"s_to_c_min":665,"s_to_c_avg":33900.1,"s_to_c_max":73508,"s_to_c_stddev":26969.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":78.8,"c_to_s_max":140,"c_to_s_stddev":38.0,"s_to_c_min":60,"s_to_c_avg":79.3,"s_to_c_max":114,"s_to_c_stddev":25.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00627{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"thread_ts_usec":1455907272856457,"pkt":"CAAnmO\/hCAAnAERyCABFAAB7EWkAAIARN1LAqDgBwKg4ZcSORFwAZ7scQgMdqQeYckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjEyIEVFVCAyMDE2In0="} 00870{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1455907272858898,"pkt":"CAAnAERyCAAnmO\/hCABFAAAuXhFAAEAR6vbAqDhlwKg4AURcxI4AGvHiYkQdqQeYiy9yL0J1czE3Q21k"} 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":489,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1455907272969405,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907272969405,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/EYMAAIARNzTAqDgBwKg4ZcSORFwAa8WlRgMdqhF5z0YYRXJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxMyBFRVQgMjAxNiJ9"} -01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":588,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1824,"flow_avg":241524.2,"flow_max":4438565,"flow_stddev":754050.7,"c_to_s_min":103882,"c_to_s_avg":380175.0,"c_to_s_max":4438565,"c_to_s_stddev":1047876.8,"s_to_c_min":1824,"s_to_c_avg":102873.4,"s_to_c_max":115953,"s_to_c_stddev":26289.5},"pktlen": {"c_to_s_min":136,"c_to_s_avg":138.1,"c_to_s_max":143,"c_to_s_stddev":2.1,"s_to_c_min":59,"s_to_c_avg":61.1,"s_to_c_max":66,"s_to_c_stddev":2.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":588,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1824,"flow_avg":106135.8,"flow_max":117757,"flow_stddev":19323.7,"c_to_s_min":103882,"c_to_s_avg":109615.7,"c_to_s_max":117757,"c_to_s_stddev":3320.9,"s_to_c_min":1824,"s_to_c_avg":102873.4,"s_to_c_max":115953,"s_to_c_stddev":26289.5},"pktlen": {"c_to_s_min":136,"c_to_s_avg":138.1,"c_to_s_max":143,"c_to_s_stddev":2.1,"s_to_c_min":59,"s_to_c_avg":61.1,"s_to_c_max":66,"s_to_c_stddev":2.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1455907274088318,"pkt":"CAAnmO\/hCAAnAERyCABFAAB9EncAAIARNkLAqDgBwKg4ZcSIRFwAaR7GRANSj9XGl0FyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTQgRUVUIDIwMTYifQ=="} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1042,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1455907274089637,"pkt":"CAAnAERyCAAnmO\/hCABFAAAwXqNAAEAR6mLAqDhlwKg4AURcxIgAHPHkZERSj9XGl0GLL3IvQnVzMTdDbWQ="} 00636{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1083,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1455907274193327,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"thread_ts_usec":1455907274193327,"pkt":"CAAnmO\/hCAAnAERyCABFAACBEpIAAIARNiPAqDgBwKg4ZcSIRFwAbeMnSANSkLugNTWCkTE2ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjE0IEVFVCAyMDE2In0="} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1308,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2441,"flow_avg":108410.7,"flow_max":127663,"flow_stddev":26851.5,"c_to_s_min":11948,"c_to_s_avg":108639.8,"c_to_s_max":127663,"c_to_s_stddev":25683.6,"s_to_c_min":2441,"s_to_c_avg":108181.6,"s_to_c_max":125708,"s_to_c_stddev":27968.8},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.0,"c_to_s_max":142,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.0,"s_to_c_max":65,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1308,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2441,"flow_avg":111522.4,"flow_max":127663,"flow_stddev":20842.5,"c_to_s_min":105608,"c_to_s_avg":115085.9,"c_to_s_max":127663,"c_to_s_stddev":6227.5,"s_to_c_min":2441,"s_to_c_avg":108181.6,"s_to_c_max":125708,"s_to_c_stddev":27968.8},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.0,"c_to_s_max":142,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.0,"s_to_c_max":65,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00635{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907275690777,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/FCAAAIARNJfAqDgBwKg4ZcSPRFwAa2JLRgOAZtDWwMpn\/nJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxNSBFRVQgMjAxNiJ9"} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1936,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"thread_ts_usec":1455907275695868,"pkt":"CAAnAERyCAAnmO\/hCABFAAAyX35AAEAR6YXAqDhlwKg4AURcxI8AHvHmZkSAZtDWwMpn\/osvci9CdXMxN0NtZA=="} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2015,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1455907275831283,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1455907275831283,"pkt":"CAAnmO\/hCAAnAERyCABFAACAFEwAAIARNGrAqDgBwKg4ZcSPRFwAbLkURwOAZ6ExGoh1VzNyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTUgRUVUIDIwMTYifQ=="} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2067,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1319,"flow_avg":113271.0,"flow_max":131359,"flow_stddev":29716.0,"c_to_s_min":2129,"c_to_s_avg":113148.8,"c_to_s_max":131277,"c_to_s_stddev":29685.9,"s_to_c_min":1319,"s_to_c_avg":113393.3,"s_to_c_max":131359,"s_to_c_stddev":29745.6},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.8,"c_to_s_max":143,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":66,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3210,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5091,"flow_avg":123822.8,"flow_max":172321,"flow_stddev":32012.9,"c_to_s_min":18686,"c_to_s_avg":124319.4,"c_to_s_max":172321,"c_to_s_stddev":30678.1,"s_to_c_min":5091,"s_to_c_avg":123326.3,"s_to_c_max":164608,"s_to_c_stddev":33286.9},"pktlen": {"c_to_s_min":136,"c_to_s_avg":139.6,"c_to_s_max":143,"c_to_s_stddev":2.2,"s_to_c_min":59,"s_to_c_avg":62.6,"s_to_c_max":66,"s_to_c_stddev":2.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2067,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1319,"flow_avg":116856.3,"flow_max":131359,"flow_stddev":22365.2,"c_to_s_min":105009,"c_to_s_avg":120550.1,"c_to_s_max":131277,"c_to_s_stddev":7970.6,"s_to_c_min":1319,"s_to_c_avg":113393.3,"s_to_c_max":131359,"s_to_c_stddev":29745.6},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.8,"c_to_s_max":143,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":66,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3210,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5091,"flow_avg":127214.4,"flow_max":172321,"flow_stddev":26264.3,"c_to_s_min":106749,"c_to_s_avg":131361.6,"c_to_s_max":172321,"c_to_s_stddev":14505.2,"s_to_c_min":5091,"s_to_c_avg":123326.3,"s_to_c_max":164608,"s_to_c_stddev":33286.9},"pktlen": {"c_to_s_min":136,"c_to_s_avg":139.6,"c_to_s_max":143,"c_to_s_stddev":2.2,"s_to_c_min":59,"s_to_c_avg":62.6,"s_to_c_max":66,"s_to_c_stddev":2.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907282684236,"flow_dst_last_pkt_time":1455907282686487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9710,"flow_dst_tot_l4_payload_len":2010,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907285180257,"flow_dst_last_pkt_time":1455907285181466,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9747,"flow_dst_tot_l4_payload_len":2047,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907284043615,"flow_dst_last_pkt_time":1455907284046276,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9760,"flow_dst_tot_l4_payload_len":2060,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -110,5 +110,5 @@ ~~ total allocations/frees...: 130102/130102 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 480 chars -~~ json string max len.......: 1501 chars -~~ json string avg len.......: 989 chars +~~ json string max len.......: 1490 chars +~~ json string avg len.......: 984 chars diff --git a/test/results/collectd.pcap.out b/test/results/collectd.pcap.out index 5850a02ba..2f6445d54 100644 --- a/test/results/collectd.pcap.out +++ b/test/results/collectd.pcap.out @@ -35,7 +35,7 @@ 00908{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":23,"source":"collectd.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1655315218479780,"flow_src_last_pkt_time":1655315251746402,"flow_dst_last_pkt_time":1655315218479780,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1231,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1344,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":6534,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315413990695,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":54138,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":27,"source":"collectd.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1655315218479780,"flow_src_last_pkt_time":1655315251746402,"flow_dst_last_pkt_time":1655315218479780,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1231,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1344,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":6534,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315443990841,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":54138,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":34,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315503990671,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":30569,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315503990671,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} -01334{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315583990823,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42548,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315583990823,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":417,"flow_avg":10484714.0,"flow_max":65511558,"flow_stddev":10419285.0,"c_to_s_min":417,"c_to_s_avg":10484714.0,"c_to_s_max":65511558,"c_to_s_stddev":10419285.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":1353,"c_to_s_avg":1371.6,"c_to_s_max":1388,"c_to_s_stddev":10.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01330{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315583990823,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42548,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315583990823,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":417,"flow_avg":8709655.0,"flow_max":10000474,"flow_stddev":3352121.2,"c_to_s_min":417,"c_to_s_avg":8709655.0,"c_to_s_max":10000474,"c_to_s_stddev":3352121.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":1353,"c_to_s_avg":1371.6,"c_to_s_max":1388,"c_to_s_stddev":10.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315683990797,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":58483,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315683990797,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"collectd.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655315734133371,"flow_src_last_pkt_time":1655315734133371,"flow_dst_last_pkt_time":1655315734133371,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1334,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1334,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315734133371,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":36832,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02285{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"collectd.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1655315734133371,"flow_dst_last_pkt_time":1655315734133371,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1376,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1376,"pkt_l4_len":1342,"thread_ts_usec":1655315734133371,"pkt":"AAAAAAAAAAAAAAAACABFAAVSgypAAEARtG5\/AAABfwAAAY\/gZOIFPgNSAAAAFWRldmxhcC5mcml0ei5ib3gAAAgADBiqh0MI68hQAAkADAAAAAKAAAAAAAIAC21lbW9yeQAABAALbWVtb3J5AAAFAAtjYWNoZWQAAAYADwABAQAAAADeOudBAAUACWZyZWUAAAYADwABAQAAAAAAgbhBAAUADWJ1ZmZlcmVkAAAGAA8AAQEAAAAAKHzAQQAFAA5hdmFpbGFibGUAAAYADwABAQAAAADEo+tBAAUADnNsYWJfcmVjbAAABgAPAAEBAAAAAEBJqUEABQAJdXNlZAAABgAPAAEBAAAAAPA87UEABQAQc2xhYl91bnJlY2wAAAYADwABAQAAAACA4ZdBAAgADBiqh0WIfqylAAIACGNwdQAAAwAGMAAABAAIY3B1AAAFAAl1c2VyAAAGAA8AAQIAAAAAABawWQAIAAwYqodFiH7fdQADAAYxAAAGAA8AAQIAAAAAABX5TAAIAAwYqodFiH8ZSwADAAYyAAAGAA8AAQIAAAAAABQZhwAIAAwYqodFiH+y0wADAAYxAAAFAAtzeXN0ZW0AAAYADwABAgAAAAAABKntAAgADBiqh0WIf7qeAAMABjIAAAYADwABAgAAAAAABJ\/lAAgADBiqh0WIf9wOAAMABjMAAAYADwABAgAAAAAABI1BAAgADBiqh0WIgAgcAAMABjEAAAUACXdhaXQAAAYADwABAgAAAAAAAEPAAAgADBiqh0WIgBAPAAMABjIAAAYADwABAgAAAAAAAEdRAAgADBiqh0WIf+U8AAMABjAAAAYADwABAgAAAAAAAEPlAAgADBiqh0WIf0BEAAMABjMAAAUACXVzZXIAAAYADwABAgAAAAAAFfl+AAgADBiqh0WIgBZ8AAUACXdhaXQAAAYADwABAgAAAAAAAD55AAgADBiqh0WIgBzpAAMABjAAAAUACW5pY2UAAAYADwABAgAAAAAAAAAmAAgADBiqh0WIgEZ6AAMABjIAAAYADwABAgAAAAAAAAArAAgADBiqh0WIgFc\/AAMABjAAAAUADmludGVycnVwdAAABgAPAAECAAAAAAABD\/MACAAMGKqHRYiAgLMAAwAGMgAABgAPAAECAAAAAAAA0OMACAAMGKqHRYh\/gyQAAwAGMAAABQALc3lzdGVtAAAGAA8AAQIAAAAAAASq\/AAIAAwYqodFiICRmAAFAAxzb2Z0aXJxAAAGAA8AAQIAAAAAAADr3gAIAAwYqodFiIBNyQADAAYzAAAFAAluaWNlAAAGAA8AAQIAAAAAAAAAMAAIAAwYqodFiICZhwADAAYxAAAFAAxzb2Z0aXJxAAAGAA8AAQIAAAAAAAB0EgAIAAwYqodFiICIwAADAAYzAAAFAA5pbnRlcnJ1cHQAAAYADwABAgAAAAAAAG4vAAgADBiqh0WIgMnmAAMABjAAAAUACnN0ZWFsAAAGAA8AAQIAAAAAAAAAAAAIAAwYqodFiIA7sAADAAYxAAAFAAluaWNlAAAGAA8AAQIAAAAAAAAAMQAIAAwYqodFiIDvvAADAAYyAAAFAApzdGVhbAAABgAPAAECAAAAAAAAAAAACAAMGKqHRYiA9t4AAwAGMwAABgAPAAECAAAAAAAAAAAACAAMGKqHRYiAwRUABQAMc29mdGlycQAABgAPAAECAAAAAAAAOukACAAMGKqHRYiAYIQAAwAGMQAABQAOaW50ZXJydXB0AAAGAA8AAQIAAAAAAACk0AAIAAwYqodFiIDnzgAFAApzdGVhbAAABgAPAAECAAAAAAAAAAA="} diff --git a/test/results/dnp3.pcap.out b/test/results/dnp3.pcap.out index 0d84b10b4..d92aed893 100644 --- a/test/results/dnp3.pcap.out +++ b/test/results/dnp3.pcap.out @@ -5,14 +5,14 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1097501938503079,"flow_dst_last_pkt_time":1097501938503079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097501938503079,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTFlAAIAGmmQKAAAICgAAAwrlTiBVHBrSAAAAAHAC\/\/+mIQAAAgQFtAEBBAI="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1097501938503079,"flow_dst_last_pkt_time":1097501938503079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097501938503079,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTFlAAIAGmmQKAAAICgAAAwrlTiBVHBrSAAAAAHAC\/\/+mIQAAAgQFtAEBBAI="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097501938503490,"flow_dst_last_pkt_time":1097501938504844,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097501938504844,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502061905496,"flow_dst_last_pkt_time":1097501941569134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097502061905496,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":201,"flow_avg":43808164.0,"flow_max":355421335,"flow_stddev":104301264.0,"c_to_s_min":411,"c_to_s_avg":68403392.0,"c_to_s_max":355421335,"c_to_s_stddev":124220184.0,"s_to_c_min":201,"s_to_c_avg":766513.8,"s_to_c_max":3043080,"s_to_c_stddev":1314402.4},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":79,"c_to_s_stddev":7.7,"s_to_c_min":60,"s_to_c_avg":66.0,"s_to_c_max":71,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502061905496,"flow_dst_last_pkt_time":1097501941569134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097502061905496,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":201,"flow_avg":12646847.0,"flow_max":120145678,"flow_stddev":35851428.0,"c_to_s_min":411,"c_to_s_avg":20567070.0,"c_to_s_max":120145678,"c_to_s_stddev":44544712.0,"s_to_c_min":201,"s_to_c_avg":766513.8,"s_to_c_max":3043080,"s_to_c_stddev":1314402.4},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":79,"c_to_s_stddev":7.7,"s_to_c_min":60,"s_to_c_avg":66.0,"s_to_c_max":71,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00552{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":40,"packets-processed":39,"total-skipped-flows":0,"total-l4-payload-len":345,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1097502623045756} 00742{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097502623045756,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502623046134,"flow_dst_last_pkt_time":1097502623047417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097502623047417,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":71,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648521527,"flow_dst_last_pkt_time":1097502648521681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097502648521681,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":174,"flow_avg":55632484.0,"flow_max":561005614,"flow_stddev":159929488.0,"c_to_s_min":378,"c_to_s_avg":97746904.0,"c_to_s_max":561005614,"c_to_s_stddev":207256064.0,"s_to_c_min":174,"s_to_c_avg":5095185.0,"s_to_c_max":17487311,"s_to_c_stddev":6474045.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":78,"c_to_s_stddev":8.3,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":71,"s_to_c_stddev":4.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01336{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":71,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648521527,"flow_dst_last_pkt_time":1097502648521681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097502648521681,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":174,"flow_avg":5095169.5,"flow_max":17487311,"flow_stddev":6400487.0,"c_to_s_min":378,"c_to_s_avg":5095154.5,"c_to_s_max":17203302,"c_to_s_stddev":6326074.0,"s_to_c_min":174,"s_to_c_avg":5095185.0,"s_to_c_max":17487311,"s_to_c_stddev":6474045.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":78,"c_to_s_stddev":8.3,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":71,"s_to_c_stddev":4.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00553{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":79,"packets-processed":78,"total-skipped-flows":0,"total-l4-payload-len":540,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1097504102255746} 00742{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097504102255746,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097504102255746,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTjtAAIAGmIIKAAAICgAAAwsMTiCPBdusAAAAAHAC\/\/+rNgAAAgQFtAEBBAI="} @@ -20,7 +20,7 @@ 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097504102255746,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTjtAAIAGmIIKAAAICgAAAwsMTiCPBdusAAAAAHAC\/\/+rNgAAAgQFtAEBBAI="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":88,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504102256118,"flow_dst_last_pkt_time":1097504102257400,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097504102257400,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00897{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":18,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648678187,"flow_dst_last_pkt_time":1097502648677871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097504103602860,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01347{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504186592304,"flow_dst_last_pkt_time":1097504103409070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097504186592304,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":167,"flow_avg":139915216.0,"flow_max":1453577559,"flow_stddev":416089856.0,"c_to_s_min":372,"c_to_s_avg":219702016.0,"c_to_s_max":1453577559,"c_to_s_stddev":504535616.0,"s_to_c_min":167,"s_to_c_avg":288331.0,"s_to_c_max":1141407,"s_to_c_stddev":492538.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":79,"c_to_s_stddev":7.7,"s_to_c_min":60,"s_to_c_avg":66.0,"s_to_c_max":71,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504186592304,"flow_dst_last_pkt_time":1097504103409070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097504186592304,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":167,"flow_avg":8548988.0,"flow_max":82989444,"flow_stddev":24816838.0,"c_to_s_min":372,"c_to_s_avg":14056093.0,"c_to_s_max":82989444,"c_to_s_stddev":30829804.0,"s_to_c_min":167,"s_to_c_avg":288331.0,"s_to_c_max":1141407,"s_to_c_stddev":492538.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":79,"c_to_s_stddev":7.7,"s_to_c_min":60,"s_to_c_avg":66.0,"s_to_c_max":71,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":217,"packets-processed":216,"total-skipped-flows":0,"total-l4-payload-len":3957,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":3,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1097505644006837} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097505644006837,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097505644006837,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAVNAAIAG5WkKAAAJCgAAAwQ4TiAZahgcAAAAAHAC\/\/\/rNQAAAgQFtAEBBAI="} @@ -28,14 +28,14 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":219,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097505644006837,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAVNAAIAG5WkKAAAJCgAAAwQ4TiAZahgcAAAAAHAC\/\/\/rNQAAAgQFtAEBBAI="} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":226,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":15,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502062040142,"flow_dst_last_pkt_time":1097502061912093,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097505644007259,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":3,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505719035890,"flow_dst_last_pkt_time":1097505644007009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":15,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":15,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097505719035890,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":248,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505754575976,"flow_dst_last_pkt_time":1097505754654239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":205,"midstream":0,"thread_ts_usec":1097505754654239,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":172,"flow_avg":149194528.0,"flow_max":1419923282,"flow_stddev":402843616.0,"c_to_s_min":422,"c_to_s_avg":255082064.0,"c_to_s_max":1419923282,"c_to_s_stddev":521641504.0,"s_to_c_min":172,"s_to_c_avg":22129480.0,"s_to_c_max":75076356,"s_to_c_stddev":29843254.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":63.8,"c_to_s_max":72,"c_to_s_stddev":4.8,"s_to_c_min":62,"s_to_c_avg":70.4,"s_to_c_max":77,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":248,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505754575976,"flow_dst_last_pkt_time":1097505754654239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":205,"midstream":0,"thread_ts_usec":1097505754654239,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":172,"flow_avg":22121654.0,"flow_max":75076356,"flow_stddev":29809640.0,"c_to_s_min":422,"c_to_s_avg":22113828.0,"c_to_s_max":75028631,"c_to_s_stddev":29775988.0,"s_to_c_min":172,"s_to_c_avg":22129480.0,"s_to_c_max":75076356,"s_to_c_stddev":29843254.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":63.8,"c_to_s_max":72,"c_to_s_stddev":4.8,"s_to_c_min":62,"s_to_c_avg":70.4,"s_to_c_max":77,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":352,"packets-processed":351,"total-skipped-flows":0,"total-l4-payload-len":5682,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":4,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":32,"global_ts_usec":1097507785883614} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097507785883614,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":353,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":354,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":361,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507785883944,"flow_dst_last_pkt_time":1097507785885063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097507785885063,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507788771853,"flow_dst_last_pkt_time":1097507788624309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097507788771853,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":139,"flow_avg":160264688.0,"flow_max":1757282556,"flow_stddev":505022272.0,"c_to_s_min":330,"c_to_s_avg":251452960.0,"c_to_s_max":1757282556,"c_to_s_stddev":614752896.0,"s_to_c_min":139,"s_to_c_avg":685173.8,"s_to_c_max":2639445,"s_to_c_stddev":1129023.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.2,"c_to_s_max":79,"c_to_s_stddev":7.6,"s_to_c_min":60,"s_to_c_avg":66.0,"s_to_c_max":71,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01330{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507788771853,"flow_dst_last_pkt_time":1097507788624309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097507788771853,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":139,"flow_avg":562893.4,"flow_max":2639445,"flow_stddev":999852.8,"c_to_s_min":330,"c_to_s_avg":481373.2,"c_to_s_max":2471106,"c_to_s_stddev":894296.2,"s_to_c_min":139,"s_to_c_avg":685173.8,"s_to_c_max":2639445,"s_to_c_stddev":1129023.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.2,"c_to_s_max":79,"c_to_s_stddev":7.6,"s_to_c_min":60,"s_to_c_avg":66.0,"s_to_c_max":71,"s_to_c_stddev":5.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":427,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":60,"flow_dst_packets_processed":78,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504224083555,"flow_dst_last_pkt_time":1097504223905294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":91,"flow_src_tot_l4_payload_len":687,"flow_dst_tot_l4_payload_len":2730,"midstream":0,"thread_ts_usec":1097507789958377,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":445,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":445,"packets-processed":444,"total-skipped-flows":0,"total-l4-payload-len":7101,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":5,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1097510947092701} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":445,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097510947092701,"flow_src_last_pkt_time":1097510947092701,"flow_dst_last_pkt_time":1097510947092701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097510947092701,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1159,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -52,14 +52,14 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":474,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1097512255234470,"flow_dst_last_pkt_time":1097512255234470,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097512255234470,"pkt":"AAKzznBRAFAEk3BnCABFAAAwBpNAAIAG4CoKAAAICgAAAwSgTiANrtDCAAAAAHAC\/\/895AAAAgQFtAEBBAI="} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":481,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512255234830,"flow_dst_last_pkt_time":1097512255236054,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097512255236054,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":496,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":57,"flow_dst_packets_processed":36,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507856257809,"flow_dst_last_pkt_time":1097507856091024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":93,"flow_src_tot_l4_payload_len":645,"flow_dst_tot_l4_payload_len":774,"midstream":0,"thread_ts_usec":1097512264841740,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097512267645965,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":157,"flow_avg":120042032.0,"flow_max":1295747290,"flow_stddev":371806432.0,"c_to_s_min":360,"c_to_s_avg":186879840.0,"c_to_s_max":1295747290,"c_to_s_stddev":452703744.0,"s_to_c_min":157,"s_to_c_avg":3075874.8,"s_to_c_max":9487840,"s_to_c_stddev":3876019.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":65.7,"c_to_s_max":78,"c_to_s_stddev":8.1,"s_to_c_min":62,"s_to_c_avg":68.8,"s_to_c_max":71,"s_to_c_stddev":3.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097512267645965,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":157,"flow_avg":2471499.5,"flow_max":9487840,"flow_stddev":3592256.2,"c_to_s_min":360,"c_to_s_avg":2068582.5,"c_to_s_max":9226978,"c_to_s_stddev":3329510.0,"s_to_c_min":157,"s_to_c_avg":3075874.8,"s_to_c_max":9487840,"s_to_c_stddev":3876019.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":65.7,"c_to_s_max":78,"c_to_s_stddev":8.1,"s_to_c_min":62,"s_to_c_avg":68.8,"s_to_c_max":71,"s_to_c_stddev":3.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":505,"packets-processed":504,"total-skipped-flows":0,"total-l4-payload-len":7593,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":0,"total-updates":1,"current-active-flows":2,"total-active-flows":7,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":56,"global_ts_usec":1097513177295531} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097513177295531,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":506,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":507,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":514,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513177295941,"flow_dst_last_pkt_time":1097513177297272,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097513177297272,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":536,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185001370,"flow_dst_last_pkt_time":1097513185001533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185001533,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":199,"flow_avg":84096488.0,"flow_max":909649566,"flow_stddev":261066336.0,"c_to_s_min":410,"c_to_s_avg":152892560.0,"c_to_s_max":909649566,"c_to_s_stddev":338434336.0,"s_to_c_min":199,"s_to_c_avg":1541200.4,"s_to_c_max":3963212,"s_to_c_stddev":1475451.6},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":78,"c_to_s_stddev":8.3,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":71,"s_to_c_stddev":4.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01334{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":536,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185001370,"flow_dst_last_pkt_time":1097513185001533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185001533,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":199,"flow_avg":1541184.1,"flow_max":3963212,"flow_stddev":1422434.8,"c_to_s_min":410,"c_to_s_avg":1541167.8,"c_to_s_max":3672101,"c_to_s_stddev":1367363.8,"s_to_c_min":199,"s_to_c_avg":1541200.4,"s_to_c_max":3963212,"s_to_c_stddev":1475451.6},"pktlen": {"c_to_s_min":60,"c_to_s_avg":66.3,"c_to_s_max":78,"c_to_s_stddev":8.3,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":71,"s_to_c_stddev":4.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00897{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":18,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185107737,"flow_dst_last_pkt_time":1097513185107430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00898{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":12,"flow_first_seen":1097510947092701,"flow_src_last_pkt_time":1097510959359091,"flow_dst_last_pkt_time":1097510959487180,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1159,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} @@ -77,5 +77,5 @@ ~~ total allocations/frees...: 122063/122063 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1356 chars -~~ json string avg len.......: 914 chars +~~ json string max len.......: 1348 chars +~~ json string avg len.......: 910 chars diff --git a/test/results/dns-tunnel-iodine.pcap.out b/test/results/dns-tunnel-iodine.pcap.out index 55384706e..3c7ed3b67 100644 --- a/test/results/dns-tunnel-iodine.pcap.out +++ b/test/results/dns-tunnel-iodine.pcap.out @@ -6,7 +6,7 @@ 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1282356640051082,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1282356640051175,"pkt":"CAAnnOC0CAAnx266CABFAABZAABAAEARImMKAAIUCgACHgA1rl8ARRoeErCEAAABAAEAAAAAC3ZhYWFha2FyZGxpBnBpcmF0ZQNzZWEAAAoAAcAMAAoAAQAAAAAACVZBQ0tEA8XpAQ=="} 01140{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356640051082,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":61,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":61,"midstream":0,"thread_ts_usec":1282356640051175,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"vaaaakardli.pirate.sea","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":10,"rsp_type":10,"rsp_addr":"0.0.0.0"}}} 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1282356640051979,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1282356640051979,"pkt":"CAAnx266CAAnnOC0CABFAABZAABAAEARImMKAAIeCgACFK5fADUARcobMN8BAAABAAAAAAAAIGxhZWdwdW1pcGxoaHB6MTJ5bmQxZWZsandsa2pjZ3d5BnBpcmF0ZQNzZWEAAAoAAQ=="} -01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356645071860,"flow_dst_last_pkt_time":1282356640060900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1434,"flow_src_tot_l4_payload_len":2968,"flow_dst_tot_l4_payload_len":3580,"midstream":0,"thread_ts_usec":1282356645071860,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":93,"flow_avg":123892104.0,"flow_max":3959516794,"flow_stddev":688898624.0,"c_to_s_min":209,"c_to_s_avg":208659872.0,"c_to_s_max":3959516794,"c_to_s_stddev":884085568.0,"s_to_c_min":93,"s_to_c_avg":755.2,"s_to_c_max":5715,"s_to_c_stddev":1453.3},"pktlen": {"c_to_s_min":82,"c_to_s_avg":198.2,"c_to_s_max":323,"c_to_s_stddev":107.6,"s_to_c_min":93,"s_to_c_avg":317.4,"s_to_c_max":1476,"s_to_c_stddev":420.4}},"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356645071860,"flow_dst_last_pkt_time":1282356640060900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1434,"flow_src_tot_l4_payload_len":2968,"flow_dst_tot_l4_payload_len":3580,"midstream":0,"thread_ts_usec":1282356645071860,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":93,"flow_avg":162277.3,"flow_max":1002966,"flow_stddev":368318.9,"c_to_s_min":209,"c_to_s_avg":278932.1,"c_to_s_max":1002966,"c_to_s_stddev":448533.7,"s_to_c_min":93,"s_to_c_avg":755.2,"s_to_c_max":5715,"s_to_c_stddev":1453.3},"pktlen": {"c_to_s_min":82,"c_to_s_avg":198.2,"c_to_s_max":323,"c_to_s_stddev":107.6,"s_to_c_min":93,"s_to_c_avg":317.4,"s_to_c_max":1476,"s_to_c_stddev":420.4}},"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01043{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":438,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":222,"flow_dst_packets_processed":212,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356664538177,"flow_dst_last_pkt_time":1282356664538369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1470,"flow_src_tot_l4_payload_len":16812,"flow_dst_tot_l4_payload_len":35212,"midstream":0,"thread_ts_usec":1282356664538369,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00573{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":438,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","packets-captured":438,"packets-processed":434,"total-skipped-flows":0,"total-l4-payload-len":52024,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1282356664538369} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121869/121869 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1490 chars -~~ json string avg len.......: 963 chars +~~ json string max len.......: 1472 chars +~~ json string avg len.......: 955 chars diff --git a/test/results/dns_doh.pcap.out b/test/results/dns_doh.pcap.out index dbeed593b..804efa0b7 100644 --- a/test/results/dns_doh.pcap.out +++ b/test/results/dns_doh.pcap.out @@ -6,7 +6,7 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1571089200876498,"flow_dst_last_pkt_time":1571089200876406,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1571089200876498,"pkt":"WkBO7NFkeDHBvV4kCABFAAAoAABAAEAGI66sFAoEaBD4+cLVAbuk7FgjymHcL1AQEAAggAAA"} 01118{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089200878306,"flow_dst_last_pkt_time":1571089200876406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1571089200878306,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01163{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089200878306,"flow_dst_last_pkt_time":1571089200968629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1571089200968629,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.3","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01363{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089201723583,"flow_dst_last_pkt_time":1571089201764372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":1424,"flow_dst_tot_l4_payload_len":4202,"midstream":0,"thread_ts_usec":1571089201764372,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":98410440.0,"flow_max":3048814106,"flow_stddev":538667584.0,"c_to_s_min":1,"c_to_s_avg":179396976.0,"c_to_s_max":3048814106,"c_to_s_stddev":717354304.0,"s_to_c_min":1,"s_to_c_avg":69648.7,"s_to_c_max":525420,"s_to_c_stddev":135423.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":134.4,"c_to_s_max":571,"c_to_s_stddev":124.2,"s_to_c_min":54,"s_to_c_avg":355.0,"s_to_c_max":1354,"s_to_c_stddev":444.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089201723583,"flow_dst_last_pkt_time":1571089201764372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":1424,"flow_dst_tot_l4_payload_len":4202,"midstream":0,"thread_ts_usec":1571089201764372,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":63645.8,"flow_max":535341,"flow_stddev":131829.5,"c_to_s_min":1,"c_to_s_avg":58393.3,"c_to_s_max":535341,"c_to_s_stddev":128372.8,"s_to_c_min":1,"s_to_c_avg":69648.7,"s_to_c_max":525420,"s_to_c_stddev":135423.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":134.4,"c_to_s_max":571,"c_to_s_stddev":124.2,"s_to_c_min":54,"s_to_c_avg":355.0,"s_to_c_max":1354,"s_to_c_stddev":444.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":86,"flow_dst_packets_processed":56,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089204031014,"flow_dst_last_pkt_time":1571089204030791,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":3792,"flow_dst_tot_l4_payload_len":8866,"midstream":0,"thread_ts_usec":1571089204031014,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","packets-captured":142,"packets-processed":142,"total-skipped-flows":0,"total-l4-payload-len":12658,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1571089204031014} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121582/121582 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 478 chars -~~ json string max len.......: 1368 chars -~~ json string avg len.......: 902 chars +~~ json string max len.......: 1347 chars +~~ json string avg len.......: 893 chars diff --git a/test/results/dns_exfiltration.pcap.out b/test/results/dns_exfiltration.pcap.out index 3cbff1a9b..f8afd0ad0 100644 --- a/test/results/dns_exfiltration.pcap.out +++ b/test/results/dns_exfiltration.pcap.out @@ -6,7 +6,7 @@ 00963{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1580978146717893,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":386,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":386,"pkt_l4_len":352,"thread_ts_usec":1580978146888524,"pkt":"jNzURr7Eqqru7hERCABFAAF0PC1AAD8R1RrAqMunwKjcOAA13DUBYD3xOR2BgAABAAEAAAAABmRuc2NhdDw1NDZiMDNmNTAwMDAwMDAwMDBhNjAyM2VkNGRmMTg0ZDZhYzVjMjYyOGI0NzcxNGZkZWU1ODRmZWQ3Mzk8NWEwM2I1YjFlMWFhOGY4ZmRiMWJiZThkNWUwNDk1MjE0MWY3ZDRmODJjN2UzYjA2ZGNjOGI4N2ZhZDdhGjE5ZTRkMDk4ZGM4YzYxOGY4ZDgxY2ZlYjAyAAAPAAHADAAPAAEAAAA8AJ8ACgZkbnNjYXQ\/MjAxZjAzZjUwMDAwMDAwMDAwNzEzYjkyNzFmMDExZGM3NjQyM2RhYjM5MmMzMmMxOGJmYzk2YjZkMjY5NWEyPzZhOTExYzk0NDcyZjU5NDA5YTVmNTI2MDEzZTc2MDE5MzY2YTA3NzkyOWUzNDgwZmJlNmQ3YzRlZGE2ZjkwOBRmMmJjOTlhNjAxZTFhODIyMTMzNgA="} 01325{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978146717893,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":173,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":173,"flow_dst_tot_l4_payload_len":344,"midstream":0,"thread_ts_usec":1580978146888524,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}}} 00670{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1580978147753419,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"thread_ts_usec":1580978147753419,"pkt":"qqru7hERjNzURr7ECABFAACYekZAAD8RAADAqNw4wKjLp9w1ADUAhCnHfRoBAAABAAAAAAAABmRuc2NhdDw5MWYwMDNmNTAwZjYxMjIxODEwYWVhMDAwMDA0ODYzYzY5MTU4MGVjYWQ2NmY2NGFjN2RkYjg3Yjg5YzcmOTIwMDgyMWU1MjdkNGUxNzYzMjUzYzI1ZTI5N2UyYWE0MTEzZDAAAAUAAQ=="} -01615{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978160880828,"flow_dst_last_pkt_time":1580978160882236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":1158,"flow_dst_tot_l4_payload_len":2183,"midstream":0,"thread_ts_usec":1580978160882236,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3976,"flow_avg":22293354.0,"flow_max":685060021,"flow_stddev":119036728.0,"c_to_s_min":4647,"c_to_s_avg":43701436.0,"c_to_s_max":685060021,"c_to_s_stddev":165598256.0,"s_to_c_min":3976,"s_to_c_avg":885271.4,"s_to_c_max":1015599,"s_to_c_stddev":304995.8},"pktlen": {"c_to_s_min":101,"c_to_s_avg":114.4,"c_to_s_max":215,"c_to_s_stddev":31.2,"s_to_c_min":148,"s_to_c_avg":178.4,"s_to_c_max":386,"s_to_c_stddev":63.0}},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01601{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978160880828,"flow_dst_last_pkt_time":1580978160882236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":1158,"flow_dst_tot_l4_payload_len":2183,"midstream":0,"thread_ts_usec":1580978160882236,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3976,"flow_avg":913783.2,"flow_max":1035526,"flow_stddev":281798.4,"c_to_s_min":4647,"c_to_s_avg":944195.7,"c_to_s_max":1035526,"c_to_s_stddev":251194.5,"s_to_c_min":3976,"s_to_c_avg":885271.4,"s_to_c_max":1015599,"s_to_c_stddev":304995.8},"pktlen": {"c_to_s_min":101,"c_to_s_avg":114.4,"c_to_s_max":215,"c_to_s_stddev":31.2,"s_to_c_min":148,"s_to_c_avg":178.4,"s_to_c_max":386,"s_to_c_stddev":63.0}},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01165{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":300,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":150,"flow_dst_packets_processed":150,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978206706247,"flow_dst_last_pkt_time":1580978206707432,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":26119,"flow_dst_tot_l4_payload_len":34826,"midstream":0,"thread_ts_usec":1580978206707432,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00572{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":300,"source":"dns_exfiltration.pcap","alias":"nDPId-test","packets-captured":300,"packets-processed":300,"total-skipped-flows":0,"total-l4-payload-len":60945,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1580978206707432} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121736/121736 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 487 chars -~~ json string max len.......: 1620 chars -~~ json string avg len.......: 1030 chars +~~ json string max len.......: 1606 chars +~~ json string avg len.......: 1024 chars diff --git a/test/results/doq_adguard.pcapng.out b/test/results/doq_adguard.pcapng.out index 704186bf3..db13c184c 100644 --- a/test/results/doq_adguard.pcapng.out +++ b/test/results/doq_adguard.pcapng.out @@ -5,7 +5,7 @@ 01103{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278425043144,"flow_dst_last_pkt_time":1608278425043144,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1608278425043144,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.adguard.com","quic": {"tls": {"version":"TLSv1.3","ja3":"1e022f87823477abd6a79c31d70062d7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"doq-i00","tls_supported_versions":"TLSv1.3"}}}} 00689{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1608278425043144,"flow_dst_last_pkt_time":1608278425079621,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":182,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":182,"pkt_l4_len":148,"thread_ts_usec":1608278425079621,"pkt":"mt9Y+uvcCL6sCxduCABFAACoAbMAAD8RP6dejA4OwKgMqQMQoG4AlJ+l8P8AAB0RXf586nXFuX6jZU8LHDkLsXUEXOoexyg1M1\/+GZvbsGeGqJJILJUnaeRPlfaewSkJ0QM1kILJB9RkVGFQIKTOYfD\/amFvF5G2sUWGCAnPMQAxGtra+t44CL4uNVFuP1UAIYDjP5flgPs8Cfp53+s66ugMjRy2XoqR7aApyqmdoc3EHdt+2Cg="} 02173{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1608278425084825,"flow_dst_last_pkt_time":1608278425079621,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1274,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1274,"pkt_l4_len":1240,"thread_ts_usec":1608278425084825,"pkt":"CL6sCxdumt9Y+uvcCABFAATsXYtAAEARnorAqAypXowODqBuAxAE2FXxz\/8AAB0EXOoexxFd\/nzqdcW5fqNlTwscOQuxdUBgKDUzX\/4Zm9uwZ4aokkgslSdp5E+V9p7BKQnRAzWQgskH1GRUYVAgpM5h8P9qYW8XkbaxRYYICc8xADEa2tr63jgIvi41UW4\/VQAhgOM\/l+WA+zwJ+nnf6zrq6AyNHLZeRFASnCr8obwp9Ty5sR7kprQnC0Sv2ZcsxYzIMAthEKqYU0zMuGSEznU2JvTrq\/bykaeb5dqdGxdiszDYKDU6Jn7sPAcjUZ2gh8+BYZGe9phFiloXFkZRqkF4syIAEkOpcy2MK\/fkeUIOyP6wlwkzaY3fbmuxHrqRyLu45SBR1VMQFyHi28JYz7QmMQfDMqnuI0IWIuFKHwG0T\/v0jhF19jPBzG3JSCrPoiaSUV9rQI1kZsCKoMrGjumM68QAfolXONsAd2IYudReWz3mQrB3zOSDXc7+iPJJwc0+KS52obxIkJ0I8SZ7CLjp+FpGH++2YepZGSZYPB5rc\/4HU1bQ4ocmPERQ5l+FpQxpj4cq2AJTX05VWg9LfjDFrHE6D6oMOTTfheRhy7X3SqhzfVhy\/w3RXnv00qwNGkVr8QIR+wCM95sfw88fV3+NqmU3vnLU2z+qvvT2HlvRQm9ykjYa60lgB9sFJ5Ng9ge\/cpn16AR4r\/NoOup4fo8EeFB8cFrAVg+3WG3mgWxUdvK6oND07fFN48QrriL1y7XuIB3Fa65jgY5B4zE7vkkBXKUfGormP9hug8dHVr44WkbHCTqfFJuTHKIf9gtfJ9VQps1jhQjM952WGdM\/mFbut40pSDwrgQgdt0stO2C4PvDiwgzZaEybJzcZBHCUgM8reKIoRyLrSsWciN2b3tsFQXXaEeEGdt8Bc\/5zyh11uwNSzGQ\/Fl2k7QrJleMEWlDCFHuNFZdb7JDVOvqjlXAHTTHX0xSx0KU4aqrg\/kZVORXUFVlv\/xu8mW\/pGVbnSUQNAvLvkvHNdnu1ZPxtBzMoqU+96Xp\/DxrznNbYv32YFRLbK8kA8U4FaZhJ3oS+5KFBikdLEV9Hai2hbk8GZjN2iqviHrHccJqNkg3SIuZD5qamhaUaMG9NOa5pQ9jLJU\/ymgo7DdgKxRH8uuDjWk10CemOYV7pIj9XJEg0HHMmlI1Un6aDxtAu5UK1qm1HNb38yVa+sYeN5Ew6KHyqBUxxS4IflHX5qeqIZPOKrYg5MCubhSudLKbjcH5sXIzejKF8iZ0FlTKPdHSExxjW0QFN6bAWoLJuZE\/4kDcgHKTjdquB1S9wjg6Pah9A0AO1p8+A56ZYLVjRHdUF0Eo6bHTdn4hIgHvxPjCmO5BtWUKEeQnKGkkR8kgREjXo6GfEeHC4Vb4SCK88RJFW07bR+3U68E0sOKimZElroA+KMcE32OqnpsNULoyV7BunASAegp78gVNI0Bil4Klffm6tM6xnJr7Wx08jSGi+pGYWmiGnj3zfHIxpQuw4bIpm3S\/lud8tMnqwiD6\/bIUKO1SxVSWZBp6s2PlGyGHrgwwdIy5nXoip9OukmbhVHpu5a+3BERo9ToRhkKbGsS5gAuyL08\/F6VvMQD\/JdB+\/2rkXCT7ca7Lr49P5aV+w66D8Iwyn8BcCGyOLiGucN4S\/JjMhOeFgH9mu48hQ78o="} -01379{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278427520204,"flow_dst_last_pkt_time":1608278427556259,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3388,"flow_dst_tot_l4_payload_len":9887,"midstream":0,"thread_ts_usec":1608278427556259,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":67382568.0,"flow_max":2151251896,"flow_stddev":374274240.0,"c_to_s_min":12,"c_to_s_avg":134608064.0,"c_to_s_max":2151251896,"c_to_s_stddev":520695392.0,"s_to_c_min":12,"s_to_c_avg":157069.7,"s_to_c_max":1885270,"s_to_c_stddev":449816.2},"pktlen": {"c_to_s_min":73,"c_to_s_avg":253.8,"c_to_s_max":1274,"c_to_s_stddev":388.3,"s_to_c_min":83,"s_to_c_avg":659.9,"s_to_c_max":1294,"s_to_c_stddev":560.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +01362{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278427520204,"flow_dst_last_pkt_time":1608278427556259,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3388,"flow_dst_tot_l4_payload_len":9887,"midstream":0,"thread_ts_usec":1608278427556259,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":160973.4,"flow_max":1885270,"flow_stddev":453072.4,"c_to_s_min":12,"c_to_s_avg":165137.3,"c_to_s_max":1830423,"c_to_s_stddev":456483.3,"s_to_c_min":12,"s_to_c_avg":157069.7,"s_to_c_max":1885270,"s_to_c_stddev":449816.2},"pktlen": {"c_to_s_min":73,"c_to_s_avg":253.8,"c_to_s_max":1274,"c_to_s_stddev":388.3,"s_to_c_min":83,"s_to_c_avg":659.9,"s_to_c_max":1294,"s_to_c_stddev":560.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":296,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":164,"flow_dst_packets_processed":132,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278463119538,"flow_dst_last_pkt_time":1608278462796456,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":30,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":10308,"flow_dst_tot_l4_payload_len":21705,"midstream":0,"thread_ts_usec":1608278463119538,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00569{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":296,"source":"doq_adguard.pcapng","alias":"nDPId-test","packets-captured":296,"packets-processed":296,"total-skipped-flows":0,"total-l4-payload-len":32013,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1608278463119538} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/dos_win98_smb_netbeui.pcap.out b/test/results/dos_win98_smb_netbeui.pcap.out index 4ebf29335..c6c0e1616 100644 --- a/test/results/dos_win98_smb_netbeui.pcap.out +++ b/test/results/dos_win98_smb_netbeui.pcap.out @@ -334,7 +334,7 @@ 00371{"packet_event_id":1,"packet_event_name":"packet","packet_id":213,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":61,"pkt_type":47,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":61,"pkt_l4_len":0,"thread_ts_usec":1576409925057831,"pkt":"AwAAAAABAFBWM3ieAC\/w8AMsAP\/vAQAAAAAAGQBXT1JLR1JPVVAgICAgICAeTUFSVElOIFJPU0VOQVUgAw=="} 00200{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":214,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","layer_type":47,"global_ts_usec":1576409926307736} 00371{"packet_event_id":1,"packet_event_name":"packet","packet_id":214,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":61,"pkt_type":47,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":61,"pkt_l4_len":0,"thread_ts_usec":1576409925057831,"pkt":"AwAAAAABAFBWM3ieAC\/w8AMsAP\/vAQAAAAAAGQAAAAAAAAAAAAAAAAAAAAAATUFSVElOIFJPU0VOQVUgAw=="} -01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":4150424.8,"flow_max":96434388,"flow_stddev":16996510.0,"c_to_s_min":43,"c_to_s_avg":4150424.8,"c_to_s_max":96434388,"c_to_s_stddev":16996510.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":110.0,"c_to_s_max":110,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":4235280.5,"flow_max":96434388,"flow_stddev":17261798.0,"c_to_s_min":43,"c_to_s_avg":4235280.5,"c_to_s_max":96434388,"c_to_s_stddev":17261798.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":110,"c_to_s_avg":110.0,"c_to_s_max":110,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00880{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1576409798047534,"flow_src_last_pkt_time":1576409798047534,"flow_dst_last_pkt_time":1576409798047534,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"224.0.0.2","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00920{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":0,"flow_first_seen":1576409797553896,"flow_src_last_pkt_time":1576409928060524,"flow_dst_last_pkt_time":1576409797553896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":952,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.2","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} diff --git a/test/results/drda_db2.pcap.out b/test/results/drda_db2.pcap.out index 09e28b28b..b29c85739 100644 --- a/test/results/drda_db2.pcap.out +++ b/test/results/drda_db2.pcap.out @@ -5,7 +5,7 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1175543772220609,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1175543772221098,"pkt":"AFBWwAABAAwpfMZqCABFAAAwAABAAEAG5PXAqGqAwKhqAcNQEu\/9XlZHCrRnsXASFtB6IQAAAgQFtAEBBAI="} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1175543772221136,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1175543772221136,"pkt":"AAwpfMZqAFBWwAABCABFAAAoIqFAAIAGglzAqGoBwKhqgBLvw1AKtGex\/V5WSFAQ\/\/+9tQAA"} 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543772338468,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":175,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":175,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1175543772338468,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} -01375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543792690997,"flow_dst_last_pkt_time":1175543792523346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2071,"flow_dst_tot_l4_payload_len":2488,"midstream":0,"thread_ts_usec":1175543792690997,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":489,"flow_avg":83566992.0,"flow_max":2633370545,"flow_stddev":457978400.0,"c_to_s_min":527,"c_to_s_avg":156108288.0,"c_to_s_max":2633370545,"c_to_s_stddev":619329472.0,"s_to_c_min":489,"s_to_c_avg":1353515.8,"s_to_c_max":17986057,"s_to_c_stddev":4454115.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":176.3,"c_to_s_max":717,"c_to_s_stddev":177.0,"s_to_c_min":54,"s_to_c_avg":220.4,"s_to_c_max":684,"s_to_c_stddev":202.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} +01364{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543792690997,"flow_dst_last_pkt_time":1175543792523346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2071,"flow_dst_tot_l4_payload_len":2488,"midstream":0,"thread_ts_usec":1175543792690997,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":489,"flow_avg":1315262.1,"flow_max":17986057,"flow_stddev":4366159.0,"c_to_s_min":527,"c_to_s_avg":1279399.2,"c_to_s_max":17828332,"c_to_s_stddev":4281749.5,"s_to_c_min":489,"s_to_c_avg":1353515.8,"s_to_c_max":17986057,"s_to_c_stddev":4454115.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":176.3,"c_to_s_max":717,"c_to_s_stddev":177.0,"s_to_c_min":54,"s_to_c_avg":220.4,"s_to_c_max":684,"s_to_c_stddev":202.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":38,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":18,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543810683631,"flow_dst_last_pkt_time":1175543810683601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2081,"flow_dst_tot_l4_payload_len":2542,"midstream":0,"thread_ts_usec":1175543810683631,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":38,"source":"drda_db2.pcap","alias":"nDPId-test","packets-captured":38,"packets-processed":38,"total-skipped-flows":0,"total-l4-payload-len":4623,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1175543810683631} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121473/121473 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 479 chars -~~ json string max len.......: 1380 chars -~~ json string avg len.......: 892 chars +~~ json string max len.......: 1369 chars +~~ json string avg len.......: 888 chars diff --git a/test/results/dropbox.pcap.out b/test/results/dropbox.pcap.out index 909e7f75c..758f01aa0 100644 --- a/test/results/dropbox.pcap.out +++ b/test/results/dropbox.pcap.out @@ -10,20 +10,20 @@ 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1455907272858898,"pkt":"CAAnAERyCAAnmO\/hCABFAAAuXhFAAEAR6vbAqDhlwKg4AURcxI4AGvHiYkQdqQeYiy9yL0J1czE3Q21k"} 00629{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1455907272969405,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907272969405,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/EYMAAIARNzTAqDgBwKg4ZcSORFwAa8WlRgMdqhF5z0YYRXJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxMyBFRVQgMjAxNiJ9"} -01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1824,"flow_avg":111116912.0,"flow_max":3552450882,"flow_stddev":618081856.0,"c_to_s_min":103882,"c_to_s_avg":222130944.0,"c_to_s_max":3552450882,"c_to_s_stddev":859884928.0,"s_to_c_min":1824,"s_to_c_avg":102873.4,"s_to_c_max":115953,"s_to_c_stddev":26289.5},"pktlen": {"c_to_s_min":136,"c_to_s_avg":138.1,"c_to_s_max":143,"c_to_s_stddev":2.1,"s_to_c_min":59,"s_to_c_avg":61.1,"s_to_c_max":66,"s_to_c_stddev":2.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1824,"flow_avg":106135.8,"flow_max":117757,"flow_stddev":19323.7,"c_to_s_min":103882,"c_to_s_avg":109615.7,"c_to_s_max":117757,"c_to_s_stddev":3320.9,"s_to_c_min":1824,"s_to_c_avg":102873.4,"s_to_c_max":115953,"s_to_c_stddev":26289.5},"pktlen": {"c_to_s_min":136,"c_to_s_avg":138.1,"c_to_s_max":143,"c_to_s_stddev":2.1,"s_to_c_min":59,"s_to_c_avg":61.1,"s_to_c_max":66,"s_to_c_stddev":2.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00628{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1455907274088318,"pkt":"CAAnmO\/hCAAnAERyCABFAAB9EncAAIARNkLAqDgBwKg4ZcSIRFwAaR7GRANSj9XGl0FyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTQgRUVUIDIwMTYifQ=="} 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1455907274089637,"pkt":"CAAnAERyCAAnmO\/hCABFAAAwXqNAAEAR6mLAqDhlwKg4AURcxIgAHPHkZERSj9XGl0GLL3IvQnVzMTdDbWQ="} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1455907274193327,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"thread_ts_usec":1455907274193327,"pkt":"CAAnmO\/hCAAnAERyCABFAACBEpIAAIARNiPAqDgBwKg4ZcSIRFwAbeMnSANSkLugNTWCkTE2ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjE0IEVFVCAyMDE2In0="} -01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2441,"flow_avg":113329.8,"flow_max":169358,"flow_stddev":22849.5,"c_to_s_min":105608,"c_to_s_avg":118477.9,"c_to_s_max":169358,"c_to_s_stddev":14454.9,"s_to_c_min":2441,"s_to_c_avg":108181.6,"s_to_c_max":125708,"s_to_c_stddev":27968.8},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.0,"c_to_s_max":142,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.0,"s_to_c_max":65,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2441,"flow_avg":111522.4,"flow_max":127663,"flow_stddev":20842.5,"c_to_s_min":105608,"c_to_s_avg":115085.9,"c_to_s_max":127663,"c_to_s_stddev":6227.5,"s_to_c_min":2441,"s_to_c_avg":108181.6,"s_to_c_max":125708,"s_to_c_stddev":27968.8},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.0,"c_to_s_max":142,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.0,"s_to_c_max":65,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907275690777,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/FCAAAIARNJfAqDgBwKg4ZcSPRFwAa2JLRgOAZtDWwMpn\/nJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxNSBFRVQgMjAxNiJ9"} 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":154,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"thread_ts_usec":1455907275695868,"pkt":"CAAnAERyCAAnmO\/hCABFAAAyX35AAEAR6YXAqDhlwKg4AURcxI8AHvHmZkSAZtDWwMpn\/osvci9CdXMxN0NtZA=="} 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1455907275831283,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1455907275831283,"pkt":"CAAnmO\/hCAAnAERyCABFAACAFEwAAIARNGrAqDgBwKg4ZcSPRFwAbLkURwOAZ6ExGoh1VzNyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTUgRUVUIDIwMTYifQ=="} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1319,"flow_avg":118267.2,"flow_max":162007,"flow_stddev":23372.8,"c_to_s_min":105009,"c_to_s_avg":123141.1,"c_to_s_max":162007,"c_to_s_stddev":12659.5,"s_to_c_min":1319,"s_to_c_avg":113393.3,"s_to_c_max":131359,"s_to_c_stddev":29745.6},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.8,"c_to_s_max":143,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":66,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":276,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5091,"flow_avg":127472.9,"flow_max":172321,"flow_stddev":25890.7,"c_to_s_min":106749,"c_to_s_avg":131619.4,"c_to_s_max":172321,"c_to_s_stddev":14080.1,"s_to_c_min":5091,"s_to_c_avg":123326.3,"s_to_c_max":164608,"s_to_c_stddev":33286.9},"pktlen": {"c_to_s_min":136,"c_to_s_avg":139.6,"c_to_s_max":143,"c_to_s_stddev":2.2,"s_to_c_min":59,"s_to_c_avg":62.6,"s_to_c_max":66,"s_to_c_stddev":2.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1319,"flow_avg":116856.3,"flow_max":131359,"flow_stddev":22365.2,"c_to_s_min":105009,"c_to_s_avg":120550.1,"c_to_s_max":131277,"c_to_s_stddev":7970.6,"s_to_c_min":1319,"s_to_c_avg":113393.3,"s_to_c_max":131359,"s_to_c_stddev":29745.6},"pktlen": {"c_to_s_min":137,"c_to_s_avg":139.8,"c_to_s_max":143,"c_to_s_stddev":1.8,"s_to_c_min":60,"s_to_c_avg":62.8,"s_to_c_max":66,"s_to_c_stddev":1.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":276,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5091,"flow_avg":127214.4,"flow_max":172321,"flow_stddev":26264.3,"c_to_s_min":106749,"c_to_s_avg":131361.6,"c_to_s_max":172321,"c_to_s_stddev":14505.2,"s_to_c_min":5091,"s_to_c_avg":123326.3,"s_to_c_max":164608,"s_to_c_stddev":33286.9},"pktlen": {"c_to_s_min":136,"c_to_s_avg":139.6,"c_to_s_max":143,"c_to_s_stddev":2.2,"s_to_c_min":59,"s_to_c_avg":62.6,"s_to_c_max":66,"s_to_c_stddev":2.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","packets-captured":801,"packets-processed":800,"total-skipped-flows":0,"total-l4-payload-len":47076,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":27,"global_ts_usec":1459182796665502} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1459182796665502,"flow_src_last_pkt_time":1459182796665502,"flow_dst_last_pkt_time":1459182796665502,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1459182796665502,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.254","src_port":55407,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1459182796665502,"flow_dst_last_pkt_time":1459182796665502,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1459182796665502,"pkt":"8IQvSpdgeJKcD6iOCABFAABAOLtAAEARfTrAqAFpwKgB\/thvADUALFKSg5wBAAABAAAAAAAABmNsaWVudAdkcm9wYm94A2NvbQAAAQAB"} @@ -118,5 +118,5 @@ ~~ total allocations/frees...: 122416/122416 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 478 chars -~~ json string max len.......: 1372 chars -~~ json string avg len.......: 925 chars +~~ json string max len.......: 1351 chars +~~ json string avg len.......: 914 chars diff --git a/test/results/emotet.pcap.out b/test/results/emotet.pcap.out index 42ed0c6bd..68f94c330 100644 --- a/test/results/emotet.pcap.out +++ b/test/results/emotet.pcap.out @@ -5,14 +5,14 @@ 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1645830066121611,"flow_dst_last_pkt_time":1645830066871134,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1645830066871134,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsxzIAAIAGd+HB\/BZUCgIZZgJL392K6SffzSFkt2AS+vDaogAAAgQFtA=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1645830066871330,"flow_dst_last_pkt_time":1645830066871134,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1645830066871330,"pkt":"IOUqtpPxAAgCHEeuCABFAAAowBNAAIAGPwQKAhlmwfwWVN\/dAkvNIWS3iukn4FAQ+vDyXwAA"} 00936{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830067978107,"flow_dst_last_pkt_time":1645830068348052,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":21,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":21,"flow_dst_tot_l4_payload_len":214,"midstream":0,"thread_ts_usec":1645830068348052,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"opmta1mto02nd1","smtp": {"user":"","password":"","auth_failed":0}}} -01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830074471734,"flow_dst_last_pkt_time":1645830074471604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":698,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":898,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1645830074471734,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":254,"flow_avg":90936296.0,"flow_max":2893261435,"flow_stddev":503313024.0,"c_to_s_min":254,"c_to_s_avg":223200880.0,"c_to_s_max":2893261435,"c_to_s_stddev":770780480.0,"s_to_c_min":420,"s_to_c_avg":439473.3,"s_to_c_max":3054676,"s_to_c_stddev":729355.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":124.0,"c_to_s_max":752,"c_to_s_stddev":181.8,"s_to_c_min":54,"s_to_c_avg":74.8,"s_to_c_max":214,"s_to_c_stddev":37.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} +01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830074471734,"flow_dst_last_pkt_time":1645830074471604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":698,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":898,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1645830074471734,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":254,"flow_avg":538713.4,"flow_max":3056402,"flow_stddev":774055.0,"c_to_s_min":254,"c_to_s_avg":695843.6,"c_to_s_max":3056402,"c_to_s_stddev":815646.8,"s_to_c_min":420,"s_to_c_avg":439473.3,"s_to_c_max":3054676,"s_to_c_stddev":729355.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":124.0,"c_to_s_max":752,"c_to_s_stddev":181.8,"s_to_c_min":54,"s_to_c_avg":74.8,"s_to_c_max":214,"s_to_c_stddev":37.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":627,"packets-processed":626,"total-skipped-flows":0,"total-l4-payload-len":404645,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1648563468993352} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563468993352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648563468993352,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563468993352,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1648563468993352,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0EddAAIAG2c0KAx1laKF\/Ftv1AFBvd7IvAAAAAIAC+vBnEwAAAgQFtAEDAwgBAQQC"} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":628,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1648563469109116,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsoCoAAIAGi4JooX8WCgMdZQBQ2\/UuAEklb3eyMGAS+vAY8wAAAgQFtA=="} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":629,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1648563469109248,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1648563469109248,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoEdhAAIAG2dgKAx1laKF\/Ftv1AFBvd7IwLgBJJlAQ+vAwsAAA"} 01142{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":630,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469109583,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648563469109583,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fkl.co.ke","http": {"url":"fkl.co.ke\/wp-content\/Elw3kPvOsZxM5\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.74 Safari\/537.36 Edg\/99.0.1150.55","detected_os":"Windows 10"}}} -01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":658,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469442201,"flow_dst_last_pkt_time":1648563469442152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":24498,"midstream":0,"thread_ts_usec":1648563469442201,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":77,"flow_avg":55797828.0,"flow_max":1784632806,"flow_stddev":310507936.0,"c_to_s_min":335,"c_to_s_avg":148756800.0,"c_to_s_max":1784632806,"c_to_s_stddev":493235200.0,"s_to_c_min":77,"s_to_c_avg":22440.0,"s_to_c_max":204207,"s_to_c_stddev":54015.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":92.2,"c_to_s_max":500,"c_to_s_stddev":123.0,"s_to_c_min":54,"s_to_c_avg":1279.1,"s_to_c_max":1415,"s_to_c_stddev":407.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":658,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469442201,"flow_dst_last_pkt_time":1648563469442152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":24498,"midstream":0,"thread_ts_usec":1648563469442201,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":77,"flow_avg":28956.4,"flow_max":204389,"flow_stddev":59845.4,"c_to_s_min":335,"c_to_s_avg":40804.5,"c_to_s_max":204389,"c_to_s_stddev":67607.4,"s_to_c_min":77,"s_to_c_avg":22440.0,"s_to_c_max":204207,"s_to_c_stddev":54015.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":92.2,"c_to_s_max":500,"c_to_s_stddev":123.0,"s_to_c_min":54,"s_to_c_avg":1279.1,"s_to_c_max":1415,"s_to_c_stddev":407.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00908{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":831,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":303,"flow_dst_packets_processed":323,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830085160825,"flow_dst_last_pkt_time":1645830085160896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":403803,"flow_dst_tot_l4_payload_len":842,"midstream":0,"thread_ts_usec":1648563473087528,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":835,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":835,"packets-processed":834,"total-skipped-flows":0,"total-l4-payload-len":582320,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1650490398530577} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":835,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398530577,"flow_dst_last_pkt_time":1650490398530577,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650490398530577,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -21,7 +21,7 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":837,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1650490398628126,"flow_dst_last_pkt_time":1650490398627831,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650490398628126,"pkt":"IOUqtpPxAAgCHEeuCABFAAAo\/mNAAIAGv44KBBRma6Gy0tQvAFBRzVZnDPZp\/FAQBAB7UAAAAAAAAAAA"} 01082{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":838,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398628513,"flow_dst_last_pkt_time":1650490398627831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650490398628513,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"gandhitoday.org","http": {"url":"gandhitoday.org\/video\/6JvA8\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","detected_os":"Windows 10"}}} 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":839,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398628513,"flow_dst_last_pkt_time":1650490398888771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1650490398888771,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"gandhitoday.org","http": {"url":"gandhitoday.org\/video\/6JvA8\/","code":200,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","detected_os":"Windows 10"}}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":866,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490399009658,"flow_dst_last_pkt_time":1650490399009514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":19432,"midstream":0,"thread_ts_usec":1650490399009658,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":40,"flow_avg":86670472.0,"flow_max":2772497083,"flow_stddev":482388704.0,"c_to_s_min":40,"c_to_s_avg":163116240.0,"c_to_s_max":2772497083,"c_to_s_stddev":652345216.0,"s_to_c_min":69,"s_to_c_avg":31929.1,"s_to_c_max":260940,"s_to_c_stddev":66618.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":73.2,"c_to_s_max":279,"c_to_s_stddev":51.5,"s_to_c_min":62,"s_to_c_avg":1350.0,"s_to_c_max":1442,"s_to_c_stddev":344.2}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01455{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":866,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490399009658,"flow_dst_last_pkt_time":1650490399009514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":19432,"midstream":0,"thread_ts_usec":1650490399009658,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":40,"flow_avg":30903.8,"flow_max":260940,"flow_stddev":65726.9,"c_to_s_min":40,"c_to_s_avg":29942.6,"c_to_s_max":260431,"c_to_s_stddev":64864.8,"s_to_c_min":69,"s_to_c_avg":31929.1,"s_to_c_max":260940,"s_to_c_stddev":66618.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":73.2,"c_to_s_max":279,"c_to_s_stddev":51.5,"s_to_c_min":62,"s_to_c_avg":1350.0,"s_to_c_max":1442,"s_to_c_stddev":344.2}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":72,"flow_dst_packets_processed":136,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563480808552,"flow_dst_last_pkt_time":1648563480808458,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":537,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":983,"flow_dst_tot_l4_payload_len":176692,"midstream":0,"thread_ts_usec":1650490407650290,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00565{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":1664,"packets-processed":1663,"total-skipped-flows":0,"total-l4-payload-len":1352571,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":3,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1650905413858492} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905413858492,"flow_dst_last_pkt_time":1650905413858492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905413858492,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -30,7 +30,7 @@ 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1666,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1650905414043020,"flow_dst_last_pkt_time":1650905414042728,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905414043020,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoLKZAAIAGOLwKBBllTWkknMKFAFDxFWwhKWw3CFAQAgOX4gAAAAAAAAAA"} 01133{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1667,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414043252,"flow_dst_last_pkt_time":1650905414042728,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905414043252,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"filmmogzivota.rs","http": {"url":"filmmogzivota.rs\/SpryAssets\/gDR\/","code":0,"content_type":"","user_agent":"vBKbaQgjyvRRbcgfvlsc"}}} 01286{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1669,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414043252,"flow_dst_last_pkt_time":1650905414335184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":572,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":572,"midstream":0,"thread_ts_usec":1650905414335184,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"filmmogzivota.rs","http": {"url":"filmmogzivota.rs\/SpryAssets\/gDR\/","code":200,"content_type":"application\/x-msdownload","user_agent":"vBKbaQgjyvRRbcgfvlsc"}}} -01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1695,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414512477,"flow_dst_last_pkt_time":1650905414512421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":26616,"midstream":0,"thread_ts_usec":1650905414512477,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":56,"flow_avg":84085992.0,"flow_max":2689443880,"flow_stddev":467936096.0,"c_to_s_min":56,"c_to_s_avg":269009792.0,"c_to_s_max":2689443880,"c_to_s_stddev":806811328.0,"s_to_c_min":68,"s_to_c_avg":29724.0,"s_to_c_max":184236,"s_to_c_stddev":62423.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":75.2,"c_to_s_max":206,"c_to_s_stddev":43.6,"s_to_c_min":60,"s_to_c_avg":1264.6,"s_to_c_max":1442,"s_to_c_stddev":420.2}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1695,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414512477,"flow_dst_last_pkt_time":1650905414512421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":26616,"midstream":0,"thread_ts_usec":1650905414512477,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":56,"flow_avg":42190.8,"flow_max":292217,"flow_stddev":79641.8,"c_to_s_min":56,"c_to_s_avg":72665.0,"c_to_s_max":292217,"c_to_s_stddev":104945.5,"s_to_c_min":68,"s_to_c_avg":29724.0,"s_to_c_max":184236,"s_to_c_stddev":62423.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":75.2,"c_to_s_max":206,"c_to_s_stddev":43.6,"s_to_c_min":60,"s_to_c_avg":1264.6,"s_to_c_max":1442,"s_to_c_stddev":420.2}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":272,"flow_dst_packets_processed":557,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490407554682,"flow_dst_last_pkt_time":1650490407650290,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":770026,"midstream":0,"thread_ts_usec":1650905415845438,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467542773,"flow_dst_last_pkt_time":1650905467542773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905467542773,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1650905467542773,"flow_dst_last_pkt_time":1650905467542773,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905467542773,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C55AAIAGrZIKBBllisWTZcKLAbv3Q1KhAAAAAIAC\/\/8fUQAAAgQFtAEDAwgBAQQC"} @@ -38,7 +38,7 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2230,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1650905467652398,"flow_dst_last_pkt_time":1650905467652145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905467652398,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoC59AAIAGrZ0KBBllisWTZcKLAbv3Q1KiR\/jAO1AQBABT4AAAAAAAAAAA"} 01248{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2231,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467652145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905467666537,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01777{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2233,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467789145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1378,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1378,"midstream":0,"thread_ts_usec":1650905467789145,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}} -01212{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":58,"flow_avg":1781313.8,"flow_max":51713698,"flow_stddev":9120885.0,"c_to_s_min":58,"c_to_s_avg":4112750.2,"c_to_s_max":51713698,"c_to_s_stddev":13745083.0,"s_to_c_min":71,"s_to_c_avg":97498.6,"s_to_c_max":1117119,"s_to_c_stddev":253253.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":115.1,"c_to_s_max":534,"c_to_s_stddev":122.8,"s_to_c_min":60,"s_to_c_avg":1147.8,"s_to_c_max":1442,"s_to_c_stddev":551.2}}} +01205{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":58,"flow_avg":116901.0,"flow_max":1262510,"flow_stddev":291863.6,"c_to_s_min":58,"c_to_s_avg":146004.5,"c_to_s_max":1262510,"c_to_s_stddev":339621.8,"s_to_c_min":71,"s_to_c_avg":97498.6,"s_to_c_max":1117119,"s_to_c_stddev":253253.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":115.1,"c_to_s_max":534,"c_to_s_stddev":122.8,"s_to_c_min":60,"s_to_c_avg":1147.8,"s_to_c_max":1442,"s_to_c_stddev":551.2}}} 01780{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2359,"source":"emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905469778844,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905469778844,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2359,"source":"emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905469778844,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C9hAAIAGrVgKBBllisWTZcKMAbv+vEuFAAAAAIAC\/\/8e8wAAAgQFtAEDAwgBAQQC"} diff --git a/test/results/ethereum.pcap.out b/test/results/ethereum.pcap.out index 00edcb3ec..cb2b7648f 100644 --- a/test/results/ethereum.pcap.out +++ b/test/results/ethereum.pcap.out @@ -86,11 +86,11 @@ 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":109,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364654361,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364654361,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":171,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":171,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364654361,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"128.0.51.140","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523420,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364657828,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC8GWDwD0S1PwKgBuHZf3TTdrvLSmxdVZqAScSC43wAAAgQFrAQCCApOlRAnItiUTwEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":126,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364657930,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364657930,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR0TAqAG4A9EtT900dl+bF1Vm3a7y04AQECxIFwAAAQEICiLYlNBOlRAn"} -01450{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522958,"flow_src_last_pkt_time":1578508364631940,"flow_dst_last_pkt_time":1578508364658815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":495,"flow_dst_max_l4_payload_len":448,"flow_src_tot_l4_payload_len":735,"flow_dst_tot_l4_payload_len":512,"midstream":0,"thread_ts_usec":1578508364658815,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":7750.4,"flow_max":63466,"flow_stddev":18055.7,"c_to_s_min":3,"c_to_s_avg":5340.8,"c_to_s_max":62123,"c_to_s_stddev":15619.1,"s_to_c_min":10,"s_to_c_avg":12350.6,"s_to_c_max":63466,"s_to_c_stddev":21222.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.6,"c_to_s_max":561,"c_to_s_stddev":106.2,"s_to_c_min":60,"s_to_c_avg":112.2,"s_to_c_max":514,"s_to_c_stddev":127.5}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01450{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522958,"flow_src_last_pkt_time":1578508364631940,"flow_dst_last_pkt_time":1578508364658815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":495,"flow_dst_max_l4_payload_len":448,"flow_src_tot_l4_payload_len":735,"flow_dst_tot_l4_payload_len":512,"midstream":0,"thread_ts_usec":1578508364658815,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":7898.0,"flow_max":63466,"flow_stddev":18325.6,"c_to_s_min":3,"c_to_s_avg":5449.1,"c_to_s_max":62123,"c_to_s_stddev":15997.1,"s_to_c_min":10,"s_to_c_avg":12350.6,"s_to_c_max":63466,"s_to_c_stddev":21222.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.6,"c_to_s_max":561,"c_to_s_stddev":106.2,"s_to_c_min":60,"s_to_c_avg":112.2,"s_to_c_max":514,"s_to_c_stddev":127.5}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":140,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364659294,"flow_dst_last_pkt_time":1578508364659294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364659294,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364659294,"flow_dst_last_pkt_time":1578508364659294,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364659294,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGv5TAqAG4KEOQgN02dl98bCWSAAAAALAC\/\/8OmwAAAgQFtAEDAwUBAQgKItiU0QAAAAAEAgAA"} 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":141,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364659971,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":395,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364659971,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364523356,"flow_src_last_pkt_time":1578508364663606,"flow_dst_last_pkt_time":1578508364664348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":404,"flow_src_tot_l4_payload_len":1106,"flow_dst_tot_l4_payload_len":612,"midstream":0,"thread_ts_usec":1578508364664348,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8900.4,"flow_max":62996,"flow_stddev":18580.1,"c_to_s_min":2,"c_to_s_avg":7191.1,"c_to_s_max":62996,"c_to_s_stddev":16898.1,"s_to_c_min":1,"s_to_c_avg":11749.3,"s_to_c_max":62851,"s_to_c_stddev":20777.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.9,"c_to_s_max":612,"c_to_s_stddev":128.5,"s_to_c_min":66,"s_to_c_avg":121.7,"s_to_c_max":470,"s_to_c_stddev":112.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364523356,"flow_src_last_pkt_time":1578508364663606,"flow_dst_last_pkt_time":1578508364664348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":404,"flow_src_tot_l4_payload_len":1106,"flow_dst_tot_l4_payload_len":612,"midstream":0,"thread_ts_usec":1578508364664348,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9072.3,"flow_max":62996,"flow_stddev":18852.3,"c_to_s_min":2,"c_to_s_avg":7381.6,"c_to_s_max":62996,"c_to_s_stddev":17316.2,"s_to_c_min":1,"s_to_c_avg":11749.3,"s_to_c_max":62851,"s_to_c_stddev":20777.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.9,"c_to_s_max":612,"c_to_s_stddev":128.5,"s_to_c_min":66,"s_to_c_avg":121.7,"s_to_c_max":470,"s_to_c_stddev":112.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364522823,"flow_dst_last_pkt_time":1578508364667606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364667606,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEG8jtCKlL2wKgBuHZf3SQj+YV4f2iiaKAScSArVwAAAgQFrAQCCAodkmB\/ItiUTwEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":182,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364667656,"flow_dst_last_pkt_time":1578508364667606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364667656,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG40PAqAG4QipS9t0kdl9\/aKJoI\/mFeYAQECy6hgAAAQEICiLYlNgdkmB\/"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364632239,"flow_dst_last_pkt_time":1578508364668680,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364668680,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEGF+czJjxPwKgBuHZf3TW8w0qY6ojTGKAScSDV+QAAAgQFrAQCCAphOp2qItiUuAEDAwc="} @@ -109,7 +109,7 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364522827,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364717778,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACMGVBhoKtkZwKgBuHZf3SMhYrdg7BRmI6AS\/ohxlQAAAgQFoAQCCAru0q\/IItiUTwEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364717893,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364717893,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGNyDAqAG4aCrZGd0jdl\/sFGYjIWK3YYAQEAmOFAAAAQEICiLYlQju0q\/I"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":240,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364719135,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364719135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01449{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":242,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523418,"flow_src_last_pkt_time":1578508364659019,"flow_dst_last_pkt_time":1578508364721593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":402,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":466,"midstream":0,"thread_ts_usec":1578508364721593,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.255.23.113","src_port":56627,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":10544.1,"flow_max":70198,"flow_stddev":23814.8,"c_to_s_min":2,"c_to_s_avg":6630.2,"c_to_s_max":70198,"c_to_s_stddev":19463.6,"s_to_c_min":2,"s_to_c_avg":18015.9,"s_to_c_max":70028,"s_to_c_stddev":29009.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":102.4,"c_to_s_max":578,"c_to_s_stddev":109.7,"s_to_c_min":60,"s_to_c_avg":108.0,"s_to_c_max":468,"s_to_c_stddev":114.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01449{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":242,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523418,"flow_src_last_pkt_time":1578508364659019,"flow_dst_last_pkt_time":1578508364721593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":402,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":466,"midstream":0,"thread_ts_usec":1578508364721593,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.255.23.113","src_port":56627,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":10767.0,"flow_max":70198,"flow_stddev":24163.0,"c_to_s_min":2,"c_to_s_avg":6780.0,"c_to_s_max":70198,"c_to_s_stddev":19932.4,"s_to_c_min":2,"s_to_c_avg":18015.9,"s_to_c_max":70028,"s_to_c_stddev":29009.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":102.4,"c_to_s_max":578,"c_to_s_stddev":109.7,"s_to_c_min":60,"s_to_c_avg":108.0,"s_to_c_max":468,"s_to_c_stddev":114.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01930{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364729181,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1097,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1097,"pkt_l4_len":1063,"thread_ts_usec":1578508364729181,"pkt":"KDc3AG3IEBMx8Tl2CABFAAQ7gO1AADART9iAADOMwKgBuHZfdl8EJxcg9PffAeslidE0A2XYKUWPfQSrSzELT24RQsZMkDFAUC\/8t71UobxaKgVF9YFxtOS9Li4RLrxMDnrT4k5PGgw2NDHZtKrKg8J\/d2YlScEj\/YBR+sG3bhx8yqSCwFLu+QmtAQT5A7r5A7L4TYRQniRSgnZfgnZfuEDy+3Y1qZpk8\/KZSHkhI\/dUtq2PmnojEAJ+pvc2bi3A23IJ6RM8OAW49hm6EgP+nw9QrdJ1FOvq3+1MzaqVwKmC+E2ETi\/CnoJ2X4J2X7hA+Q4zg2oOekCIJoV1y\/ualFI8sA2WiSVXjBsUf\/fkEaUBa4ucL3qlgbfTJJpR6RtQSjEN0kW4Om6HGzu56xhcP\/hNhF6CJvWCdl+Cdl+4QCa0AdVA2\/h5KxbzG7wSXhKLcgLDQf3VZM6j4pcDpEr22I0w8vjr3eeZrANzqy+B0k7Jw6sj9qOYOkYu9v1\/HcL4S4QXZGXDgsVFgLhA4dMHiHESZvaZv5XwOSEg7GIAhtTuq\/1+kuZamW7NEWy5Mx7jYjqriPSY+yi8MCrIJ809xx8ts8E05ybrI5RK9vhNhHTKaT+Cdl+Cdl+4QNscTNh1YzVnvcLB2a2lU2bz3gyaTlXXbE+pFLDVoDdFI5ADpod42cruH9wQt79YZLxlJa01FygTlV6X9wnzbsb4TYRSpWAfgnZhgnZhuECxFAegsyOgyfrql\/zztxCELDSekbbhUJf21H8iSNiW9cKP2xirrTz8RKLVHxNA2LkFNcMF8l9m+GUUJJ3wo0ve+E2EZ\/0rzIJ2X4J2X7hA0+1Q\/zfDwmqiJ4L7\/yvPXaADca3\/aoKeqi6XasejIDSTPmS2ILmdZ2LgwWGNQRAtsR66VqR5PIUppHE6JTXzu\/hNhC9aDGqCdl+Cdl+4QEWucUJTr5uswusybUrNZinvmACa+spHP3M8Ca80aMiKTDP2An9QqqbsJgkcvDnFqQSdwmVB0j3FFWWOWXchmBH4TYQ03B+BglLcglLcuEC4ECYNzxwi2kJoJQjyJ6lUniuRlC+UndNWqAZRufW0X533Ymm1WtW8x0w\/1eGqPwGeOGNfU57w7mmrZv5S0MuC+E2EoBCKUoJ2X4J2X7hA7pvrsi4uzujUwcCnzbOXM3k+PSTxp6vSaGlZ+vjNNS2DLnFg12pt76j1a3+aMxZ2sjeuJ4ACTqyhbBihj1yObfhNhLB96meCdl+Cdl+4QMGwHxHg22IaagGZCrHWyox4ceWSrkz5+TUJ7FvSKEAsyUrKnBQ1BKg4U4OyDXv653Ump5Su2Klg\/PAjth\/4FVX4TYQDCFzcgnZfgnZfuEAOe5LjgOGocDnrwWucrGwohrnh\/PIVvUNi2EPcxA3lL9o2I1kGKrrcltIHdy07g5GmzReWD9IntTCd9ncDRnHuhF4WIGA="} 01070{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":253,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364729798,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":467,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":467,"pkt_l4_len":433,"thread_ts_usec":1578508364729798,"pkt":"KDc3AG3IEBMx8Tl2CABFAAHFgO5AADARUk2AADOMwKgBuHZfdl8BsUbFE+HTPyEyomNSay73CyfrLD8rHnhX7vxj92G3He3rB8i3yggvxA3gI120fMxC8T5NSVg69zUML0xXdXDn6x+i1UJlYzm2ZsL8HkXRcVxsD7\/Cz8uc2cDeR5GmI31rs3BBAAT5AUT5ATz4TYRWzyr3gnZfgnZfuEAwPG4npPFCKterF6wXX6hmKDtHpPLV5Gpyh4HRvQlb1WOtMBiFa5iB1p48IlU7yQzlUhHlEKU2TAWk+UxWCOtE+E2EwKkGMYJ2X4J2X7hAXDWjwnntCdEfY7ZsbIcma6dZim0sS\/6AZlg+cBMsOylaupmT4K85DC7A88jAAB9\/AkNP7Q7FRuWOzTw655z20fhNhF\/YD6SCdl+Cdl+4QMhe7o3oH5yNMBpAbg7BFfLQiRhzAx0IcRlGupvV\/Zui89t4l4x5tGAZhBv4cgNKbiHVFqGfCeCtDh7KA5ZNUtn4TYQ2yX4zgnZfgnZfuEBWXo894U5qji3Sd9oPTupJEBwpi5JkOWop7uGO9PMehSCnS4eHg4+tauk7NJIwG19teeCjKxS93DtycMhLIWGEhF4WIGA="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":254,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364732443,"flow_src_last_pkt_time":1578508364732443,"flow_dst_last_pkt_time":1578508364732443,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364732443,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"111.229.0.180","src_port":30303,"dst_port":20182,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -128,7 +128,7 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523109,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364786203,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC0GKKu\/6qLGwKgBuHZf3SxpEHBBX7euwaAS\/ohj6AAAAgQFoAQCCAo0GJnqItiUTwEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364786273,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364786273,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGFbPAqAG4v+qixt0sdl9ft67BaRBwQoAQEAmAJwAAAQEICiLYlUg0GJnq"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":275,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508364786351,"flow_dst_last_pkt_time":1578508364784751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364786351,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01443{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1578508364632239,"flow_src_last_pkt_time":1578508364714483,"flow_dst_last_pkt_time":1578508364786943,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":421,"flow_dst_max_l4_payload_len":340,"flow_src_tot_l4_payload_len":661,"flow_dst_tot_l4_payload_len":404,"midstream":0,"thread_ts_usec":1578508364786943,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7414.3,"flow_max":72892,"flow_stddev":17682.7,"c_to_s_min":1,"c_to_s_avg":4344.9,"c_to_s_max":43065,"c_to_s_stddev":12206.6,"s_to_c_min":1,"s_to_c_avg":11900.3,"s_to_c_max":72892,"s_to_c_stddev":22759.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.4,"c_to_s_max":487,"c_to_s_stddev":95.1,"s_to_c_min":60,"s_to_c_avg":95.4,"s_to_c_max":406,"s_to_c_stddev":90.5}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01443{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1578508364632239,"flow_src_last_pkt_time":1578508364714483,"flow_dst_last_pkt_time":1578508364786943,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":421,"flow_dst_max_l4_payload_len":340,"flow_src_tot_l4_payload_len":661,"flow_dst_tot_l4_payload_len":404,"midstream":0,"thread_ts_usec":1578508364786943,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7643.5,"flow_max":72892,"flow_stddev":17918.8,"c_to_s_min":1,"c_to_s_avg":4569.1,"c_to_s_max":43065,"c_to_s_stddev":12502.9,"s_to_c_min":1,"s_to_c_avg":11900.3,"s_to_c_max":72892,"s_to_c_stddev":22759.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.4,"c_to_s_max":487,"c_to_s_stddev":95.1,"s_to_c_min":60,"s_to_c_avg":95.4,"s_to_c_max":406,"s_to_c_stddev":90.5}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":285,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508364787529,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":512,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364787529,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":286,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364714836,"flow_dst_last_pkt_time":1578508364789015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364789015,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAADMGVclSkdz5wKgBuHZf3TlFnUTdn3ylU6AScSDFhwAAAgQFrAQCCAqGNr5sItiVBQEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":287,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364789130,"flow_dst_last_pkt_time":1578508364789015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364789130,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGSNnAqAG4UpHc+d05dl+ffKVTRZ1E3oAQECxU+wAAAQEICiLYlUqGNr5s"} @@ -155,8 +155,8 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":384,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523145,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364877648,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACEGk4U0u88bwKgBuHZf3S3Pd7n11PppgaAS\/oiD+wAAAgQFoAQCCApvJb2EItiUTwEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":385,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364877742,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364877742,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGdI3AqAG4NLvPG90tdl\/U+mmBz3e59oAQEAmf6AAAAQEICiLYlZpvJb2E"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508364879259,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364879259,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364682687,"flow_src_last_pkt_time":1578508364832409,"flow_dst_last_pkt_time":1578508364898847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":479,"flow_dst_max_l4_payload_len":439,"flow_src_tot_l4_payload_len":719,"flow_dst_tot_l4_payload_len":503,"midstream":0,"thread_ts_usec":1578508364898847,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11441.7,"flow_max":78584,"flow_stddev":26222.7,"c_to_s_min":1,"c_to_s_avg":7141.6,"c_to_s_max":78584,"c_to_s_stddev":21610.5,"s_to_c_min":4,"s_to_c_avg":19650.9,"s_to_c_max":78125,"s_to_c_stddev":31719.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":100.8,"c_to_s_max":545,"c_to_s_stddev":102.9,"s_to_c_min":60,"s_to_c_avg":111.4,"s_to_c_max":505,"s_to_c_stddev":124.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01449{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":408,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508364714836,"flow_src_last_pkt_time":1578508364867557,"flow_dst_last_pkt_time":1578508364919424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":682,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508364919424,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":11177.9,"flow_max":77251,"flow_stddev":25907.5,"c_to_s_min":2,"c_to_s_avg":9006.2,"c_to_s_max":76054,"c_to_s_stddev":24164.7,"s_to_c_min":2,"s_to_c_avg":13639.2,"s_to_c_max":77251,"s_to_c_stddev":27544.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":106.8,"c_to_s_max":508,"c_to_s_stddev":104.4,"s_to_c_min":60,"s_to_c_avg":94.5,"s_to_c_max":488,"s_to_c_stddev":105.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364682687,"flow_src_last_pkt_time":1578508364832409,"flow_dst_last_pkt_time":1578508364898847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":479,"flow_dst_max_l4_payload_len":439,"flow_src_tot_l4_payload_len":719,"flow_dst_tot_l4_payload_len":503,"midstream":0,"thread_ts_usec":1578508364898847,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11802.6,"flow_max":78584,"flow_stddev":26563.9,"c_to_s_min":1,"c_to_s_avg":7486.1,"c_to_s_max":78584,"c_to_s_stddev":22087.8,"s_to_c_min":4,"s_to_c_avg":19650.9,"s_to_c_max":78125,"s_to_c_stddev":31719.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":100.8,"c_to_s_max":545,"c_to_s_stddev":102.9,"s_to_c_min":60,"s_to_c_avg":111.4,"s_to_c_max":505,"s_to_c_stddev":124.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01449{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":408,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508364714836,"flow_src_last_pkt_time":1578508364867557,"flow_dst_last_pkt_time":1578508364919424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":682,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508364919424,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":11526.1,"flow_max":77251,"flow_stddev":26248.2,"c_to_s_min":2,"c_to_s_avg":9545.1,"c_to_s_max":76054,"c_to_s_stddev":24809.2,"s_to_c_min":2,"s_to_c_avg":13639.2,"s_to_c_max":77251,"s_to_c_stddev":27544.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":106.8,"c_to_s_max":508,"c_to_s_stddev":104.4,"s_to_c_min":60,"s_to_c_avg":94.5,"s_to_c_max":488,"s_to_c_stddev":105.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":435,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364922060,"flow_src_last_pkt_time":1578508364922060,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364922060,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.233.197.131","src_port":56637,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":435,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364922060,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364922060,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGjuvAqAG4I+nFg909dl+ptEcpAAAAALAC\/\/+OGAAAAgQFtAEDAwUBAQgKItiVxAAAAAAEAgAA"} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":445,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508364924936,"flow_dst_last_pkt_time":1578508364924936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364924936,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -169,7 +169,7 @@ 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508364932939,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364932939,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508364932939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364932939,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGvd3AqAG4Etunn90\/dl9+5\/UeAAAAALAC\/\/851wAAAgQFtAEDAwUBAQgKItiVzQAAAAAEAgAA"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":473,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508364933835,"flow_dst_last_pkt_time":1578508364932308,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":571,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364933835,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01450{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":475,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364824407,"flow_dst_last_pkt_time":1578508364936429,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":470,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":534,"midstream":0,"thread_ts_usec":1578508364936429,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":22426.0,"flow_max":164457,"flow_stddev":51986.6,"c_to_s_min":2,"c_to_s_avg":14505.9,"c_to_s_max":163149,"c_to_s_stddev":43812.0,"s_to_c_min":10,"s_to_c_avg":37546.3,"s_to_c_max":164457,"s_to_c_stddev":62042.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":96.8,"c_to_s_max":461,"c_to_s_stddev":85.7,"s_to_c_min":60,"s_to_c_avg":114.7,"s_to_c_max":536,"s_to_c_stddev":133.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01450{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":475,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364824407,"flow_dst_last_pkt_time":1578508364936429,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":470,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":534,"midstream":0,"thread_ts_usec":1578508364936429,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":23032.1,"flow_max":164457,"flow_stddev":52707.1,"c_to_s_min":2,"c_to_s_avg":15049.3,"c_to_s_max":163149,"c_to_s_stddev":44824.8,"s_to_c_min":10,"s_to_c_avg":37546.3,"s_to_c_max":164457,"s_to_c_stddev":62042.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":96.8,"c_to_s_max":461,"c_to_s_stddev":85.7,"s_to_c_min":60,"s_to_c_avg":114.7,"s_to_c_max":536,"s_to_c_stddev":133.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01936{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364925232,"flow_dst_last_pkt_time":1578508364954898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1099,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1099,"pkt_l4_len":1065,"thread_ts_usec":1578508364954898,"pkt":"KDc3AG3IEBMx8Tl2CABFAAQ91J1AACwRmVQjtPapwKgBuHZddl8EKaTIL6PiPVD76wxxux15bHRlnSs2av4nBFSV7v4bhHiIpeAMxLmbK8f6wiaJfQicCaKdl2RU3riNA4G85e32CrySn3+r4nugeiGUNmLmJTGwe70KAk\/1yl9pMbVr5iHiC9EbAQT5A7z5A7T4TYSnVnoygnZfgnZfuECQJNyxBglNPC+n9m4t\/W08TtywpdWYdWjkRxmhkajaDCz+gK\/mbTitDTyIYj\/DM6dFql13rAhhOsl+TepFcV7R+E2EVmvzPoJ2X4J2X7hAs1lDgaitKFA3cxLdFsLwt7VebQyms4a6o\/fivZtKo8AkJ6dL4w4Dn4+\/vC\/\/JsKeSIScYYBOpqnxxVMZ+XWFxvhNhIui\/9KCdl+Cdl+4QKesUvPGk3pcExPSpjjyYak+S\/zgRaKyCtkCAnADlTupsK\/kU6vbTyjVeYLvjRqhlLfuaobh1XsP1yYWbMEwCkP4TYROL5ObgnZfgnZfuEBjjxCUsfvwMHRxTE5YrP7+ISCuREmPbKrzjoabqIoNEUz\/YRnAV2w6k47DZjKIksCMD5bt88unhn0EsLYp\/SzX+E2EXkQ3ooJ2X4J2X7hAPuP3gMJbiMdT+jVwpl443XaSBNUfQ0qZUmbru+9L8er4h7zKFM+7c1K4WVxLv0mgiZa++5g5WXQyn8nQTgubb\/hNhIpLq76Cdl+Cdl+4QPw+TE9tCaxzvKUZLrSUydGaIDt2Km6jvC1h7Hg9CIqQESMae7r6mkOxEncigdCNSYhdj\/fphc\/puhfvJzVEsBH4TYQj6yXYgnZfgnZfuEC5nQSZ\/xzD17vSEoHg\/jtmGLuRaM3q97\/3Czva8FggRyrw44MHO8OtruMk8OoTJc88hHmdKvMBoeGC+K0eEhFi+E2Ep1ZKIYJ2XYJ2XbhAYZoPsgtYlBM737vFkYUTo\/9EphiWRNvy3F9PFQKE60Wg2vh7fDKeVFJ2s+C3+rlsvule\/8FMZch7lhCdhu+rUPhNhJ3mmFeCdl+Cdl+4QGQs+WUN2IadQlJdv2hYAS47TWT0deczhHq293QjQaQ5dBSGXZU4dOj17ZGw5OHFM97hStHWuydqVFmyRxRg\/w34TYQ050sDgsVJgsVJuEDzSXu93jNII3idYaebqM1QwrATGCoZMfOLWHKo8\/HNEvGmOW1TsZdycKJciiZgh6ud1sRz67L9tP+HeODfKFTV+E2EDfsOx4J2X4J2X7hAH7mV1eGOz5WoeIocWFwRYF7ZVBDRcdtaFFH5u23BFJ62FH1ch71cEmxc8OtYpiPqb2N3y6mQjsQPeWAgtQws9vhNhCPknjSCdl+Cdl+4QFeAPtyTjNbAmZsxJ+YSStMfUptpi+Ck9CtWlo\/Fnkmot5zzhg4wYebjEaqIDMNNKgYreTwT+o6X4euclIzcKBSEXhYgYA=="} 01076{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":487,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364925232,"flow_dst_last_pkt_time":1578508364954930,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":467,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":467,"pkt_l4_len":433,"thread_ts_usec":1578508364954930,"pkt":"KDc3AG3IEBMx8Tl2CABFAAHF1J5AACwRm8sjtPapwKgBuHZddl8BsQR1SNeP1ZrG\/ZwtEcGW5vGA0sDGp78prdWhxHtDqEDU7PNKL6kZEdICkE\/ClTr5riDvJ\/S0Juy5pZvsiDZ34LyanRNXXRjpzjohXnlvDARKWl\/FPyuFUx\/5q7iG79kKNiaGAAT5AUT5ATz4TYS5GczRgm\/xgm\/xuEBa13f1PeAY+pXn+QDG2H2vRnbUjALc47yKM1DGaLaCBXAmqDZbTzNfSqGBTAVPFFnsJtnCFC0Fv0w0bIIRmdWp+E2EijsROoJ2X4J2X7hAJi3PrTUi8k0+hp72TGveiEIya6qIgjO27CDPgcM2XClPC4ML\/96HDCNIKvA6L6b3KKoTFoGm44u2hTJ2hJ9PJvhNhM+0ztiCdl+Cdl+4QCCTHaJCBMKOiAeM0+J0ILaNmDQGKBpq95aDifzAyS6BBPIijEGzkyTvF6L1V27y7PdVSWOVkbAaliLEx1mlVCv4TYRf2EBxgnX+gnX+uEAuHZY2QcmV8WQCz4M\/VG5LfG7tHam\/sFovnjhq\/yEXmxTFgIMHUbncizgn1Jn7XeiL7CoOoCVHxB7uvvn28VO3hF4WIGA="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":488,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364924936,"flow_dst_last_pkt_time":1578508364957524,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364957524,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGw5PR+vDNwKgBuHZf3T7\/g0hGkL7bbKAScSAsgwAAAgQFrAQCCAoN8FcJItiVxgEDAwc="} @@ -184,13 +184,13 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":568,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365021490,"flow_dst_last_pkt_time":1578508365021490,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365021490,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGuz\/AqAG4sj4K2t1Cdl8xVnl5AAAAALAC\/\/8AHAAAAgQFtAEDAwUBAQgKItiWHgAAAAAEAgAA"} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":569,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365029590,"flow_dst_last_pkt_time":1578508365029590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365029590,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":569,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365029590,"flow_dst_last_pkt_time":1578508365029590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365029590,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGqGLAqAG4sj4dt91Ddl+W2yuDAAAAALAC\/\/\/VpgAAAgQFtAEDAwUBAQgKItiWJgAAAAAEAgAA"} -01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508365038162,"flow_dst_last_pkt_time":1578508365038195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":415,"flow_dst_max_l4_payload_len":494,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":686,"midstream":0,"thread_ts_usec":1578508365038195,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":7085.3,"flow_max":43142,"flow_stddev":14098.0,"c_to_s_min":3,"c_to_s_avg":5673.5,"c_to_s_max":43142,"c_to_s_stddev":13037.9,"s_to_c_min":3,"s_to_c_avg":9438.2,"s_to_c_max":41248,"s_to_c_stddev":15422.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":115.3,"c_to_s_max":481,"c_to_s_stddev":95.5,"s_to_c_min":66,"s_to_c_avg":127.8,"s_to_c_max":560,"s_to_c_stddev":135.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508365038162,"flow_dst_last_pkt_time":1578508365038195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":415,"flow_dst_max_l4_payload_len":494,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":686,"midstream":0,"thread_ts_usec":1578508365038195,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":7306.0,"flow_max":43142,"flow_stddev":14269.1,"c_to_s_min":3,"c_to_s_avg":5959.3,"c_to_s_max":43142,"c_to_s_stddev":13315.5,"s_to_c_min":3,"s_to_c_avg":9438.2,"s_to_c_max":41248,"s_to_c_stddev":15422.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":115.3,"c_to_s_max":481,"c_to_s_stddev":95.5,"s_to_c_min":66,"s_to_c_avg":127.8,"s_to_c_max":560,"s_to_c_stddev":135.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":598,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365038942,"flow_src_last_pkt_time":1578508365038942,"flow_dst_last_pkt_time":1578508365038942,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365038942,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.230.108.42","src_port":56644,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":598,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365038942,"flow_dst_last_pkt_time":1578508365038942,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365038942,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG\/kfAqAG4DeZsKt1Edl+KMGOvAAAAALAC\/\/8AAwAAAgQFtAEDAwUBAQgKItiWLQAAAAAEAgAA"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":605,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365009842,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365039176,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGe3mQW3iHwKgBuHZf3UEpl2emdDhi4qAScSAVuAAAAgQFrAQCCArbhaVwItiWFAEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":606,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365039222,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365039222,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGb4HAqAG4kFt4h91Bdl90OGLiKZdnp4AQECylVgAAAQEICiLYli7bhaVw"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":607,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365009842,"flow_src_last_pkt_time":1578508365040566,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365040566,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"144.91.120.135","src_port":56641,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":617,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364932664,"flow_dst_last_pkt_time":1578508365043187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":423,"flow_src_tot_l4_payload_len":671,"flow_dst_tot_l4_payload_len":487,"midstream":0,"thread_ts_usec":1578508365043187,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":20548.3,"flow_max":158141,"flow_stddev":48096.3,"c_to_s_min":2,"c_to_s_avg":15203.0,"c_to_s_max":158141,"c_to_s_stddev":43040.8,"s_to_c_min":1,"s_to_c_avg":27420.9,"s_to_c_max":158073,"s_to_c_stddev":53119.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.9,"c_to_s_max":497,"c_to_s_stddev":99.5,"s_to_c_min":60,"s_to_c_avg":97.9,"s_to_c_max":489,"s_to_c_stddev":109.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":617,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364932664,"flow_dst_last_pkt_time":1578508365043187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":423,"flow_src_tot_l4_payload_len":671,"flow_dst_tot_l4_payload_len":487,"midstream":0,"thread_ts_usec":1578508365043187,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":21202.0,"flow_max":158141,"flow_stddev":48725.8,"c_to_s_min":2,"c_to_s_avg":16080.6,"c_to_s_max":158141,"c_to_s_stddev":44131.8,"s_to_c_min":1,"s_to_c_avg":27420.9,"s_to_c_max":158073,"s_to_c_stddev":53119.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.9,"c_to_s_max":497,"c_to_s_stddev":99.5,"s_to_c_min":60,"s_to_c_avg":97.9,"s_to_c_max":489,"s_to_c_stddev":109.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365045064,"flow_dst_last_pkt_time":1578508365045064,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365045064,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365045064,"flow_dst_last_pkt_time":1578508365045064,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365045064,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGOT7AqAG4uduFPt1Fdl+PNscoAAAAALAC\/\/\/ScwAAAgQFtAEDAwUBAQgKItiWMgAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":646,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508365063785,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365063785,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACMG2uES26efwKgBuHZf3T9fy8\/Lfuf1H6ASaN8cNgAAAgQFrAQCCAoSyYNbItiVzQEDAwc="} @@ -210,16 +210,16 @@ 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":718,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365094017,"flow_dst_last_pkt_time":1578508365092283,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":410,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365094017,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":728,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365094625,"flow_src_last_pkt_time":1578508365094625,"flow_dst_last_pkt_time":1578508365094625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365094625,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"182.162.161.61","src_port":56647,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":728,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365094625,"flow_dst_last_pkt_time":1578508365094625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365094625,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGIHjAqAG4tqKhPd1Hdl8HffxGAAAAALAC\/\/8MGQAAAgQFtAEDAwUBAQgKItiWYAAAAAAEAgAA"} -01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":732,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364921758,"flow_dst_last_pkt_time":1578508365096545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":467,"flow_src_tot_l4_payload_len":730,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365096545,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":30490.4,"flow_max":202293,"flow_stddev":70384.0,"c_to_s_min":2,"c_to_s_avg":19141.6,"c_to_s_max":201303,"c_to_s_stddev":58101.1,"s_to_c_min":12,"s_to_c_avg":52156.2,"s_to_c_max":202293,"s_to_c_stddev":85155.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.3,"c_to_s_max":556,"c_to_s_stddev":105.1,"s_to_c_min":60,"s_to_c_avg":114.5,"s_to_c_max":533,"s_to_c_stddev":132.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":732,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364921758,"flow_dst_last_pkt_time":1578508365096545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":467,"flow_src_tot_l4_payload_len":730,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365096545,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":31375.8,"flow_max":202293,"flow_stddev":71334.6,"c_to_s_min":2,"c_to_s_avg":19946.6,"c_to_s_max":201303,"c_to_s_stddev":59421.5,"s_to_c_min":12,"s_to_c_avg":52156.2,"s_to_c_max":202293,"s_to_c_stddev":85155.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.3,"c_to_s_max":556,"c_to_s_stddev":105.1,"s_to_c_min":60,"s_to_c_avg":114.5,"s_to_c_max":533,"s_to_c_stddev":132.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":755,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365079165,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365104666,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAADMGeqysaV4+wKgBuHZf3UajVVX7HTpq6KAS\/ojIGAAAAgQFrAQCCAobAQsKItiWUQEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":756,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365104768,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365104768,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGbbzAqAG4rGlePt1Gdl8dOmroo1VV\/IAQECzlIgAAAQEICiLYlmgbAQsK"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":757,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365105962,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":474,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365105962,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":842,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508365044863,"flow_dst_last_pkt_time":1578508365151822,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":513,"flow_src_tot_l4_payload_len":811,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":1578508365151822,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":17113.1,"flow_max":109385,"flow_stddev":39187.8,"c_to_s_min":2,"c_to_s_avg":10499.0,"c_to_s_max":109385,"c_to_s_stddev":31808.7,"s_to_c_min":7,"s_to_c_avg":29740.0,"s_to_c_max":109033,"s_to_c_stddev":47884.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":105.2,"c_to_s_max":637,"c_to_s_stddev":121.9,"s_to_c_min":60,"s_to_c_avg":118.1,"s_to_c_max":579,"s_to_c_stddev":146.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":842,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508365044863,"flow_dst_last_pkt_time":1578508365151822,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":513,"flow_src_tot_l4_payload_len":811,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":1578508365151822,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":17655.5,"flow_max":109385,"flow_stddev":39696.4,"c_to_s_min":2,"c_to_s_avg":11009.0,"c_to_s_max":109385,"c_to_s_stddev":32510.3,"s_to_c_min":7,"s_to_c_avg":29740.0,"s_to_c_max":109033,"s_to_c_stddev":47884.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":105.2,"c_to_s_max":637,"c_to_s_stddev":121.9,"s_to_c_min":60,"s_to_c_avg":118.1,"s_to_c_max":579,"s_to_c_stddev":146.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":900,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365153718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365153718,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":900,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365153718,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365153718,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGWefAqAG4I+T6jN1Kdl95PEStAAAAALAC\/\/+LMAAAAgQFtAEDAwUBAQgKItiWjwAAAAAEAgAA"} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":904,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365154075,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365154075,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":904,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365154075,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365154075,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG4TfAqAG4iskMV91Ldl\/HR3E5AAAAALAC\/\/+X6AAAAgQFtAEDAwUBAQgKItiWjwAAAAAEAgAA"} -01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":911,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365168387,"flow_dst_last_pkt_time":1578508365168448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":469,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365168448,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":9300.5,"flow_max":48881,"flow_stddev":17617.6,"c_to_s_min":2,"c_to_s_avg":7937.9,"c_to_s_max":48881,"c_to_s_stddev":16334.6,"s_to_c_min":10,"s_to_c_avg":11571.5,"s_to_c_max":47405,"s_to_c_stddev":19358.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.4,"c_to_s_max":535,"c_to_s_stddev":102.7,"s_to_c_min":66,"s_to_c_avg":110.9,"s_to_c_max":384,"s_to_c_stddev":88.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":911,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365168387,"flow_dst_last_pkt_time":1578508365168448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":469,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365168448,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":8956.6,"flow_max":48881,"flow_stddev":17793.5,"c_to_s_min":2,"c_to_s_avg":7305.1,"c_to_s_max":48881,"c_to_s_stddev":16518.3,"s_to_c_min":10,"s_to_c_avg":11571.5,"s_to_c_max":47405,"s_to_c_stddev":19358.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.4,"c_to_s_max":535,"c_to_s_stddev":102.7,"s_to_c_min":66,"s_to_c_avg":110.9,"s_to_c_max":384,"s_to_c_stddev":88.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":924,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365169225,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365169225,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":924,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365169225,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365169225,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGP33AqAG4sAmI0d1Mdl8ouUvbAAAAALAC\/\/+6CgAAAgQFtAEDAwUBAQgKItiWngAAAAAEAgAA"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":928,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365186673,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365186673,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIG7zuKyQxXwKgBuHZf3Uu6UG6Lx0dxOqAScSDP1QAAAgQFrAQCCAq1b4mgItiWjwEDAwc="} @@ -230,7 +230,7 @@ 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365189369,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365189369,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":30303,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365189369,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcflcAAEARfx\/AqAG4Etunn3Zfdl8AiGnBB7Pc5ZlsDZTbUrqaaoRxeL1l7Crbcxf\/BOXFZNGdyZsOxpmBlW67u9+KWe59CkWnKw2GIsEnEKk87oxTf3me3BvKcrMQD0jXMXlBXiHkLViPnwRaOVxyx4odh7D\/BO97AAHdBMuEfwAAAYJ2X4J2X8mEEtunn4J2X4CEXhYgYQU="} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365189369,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365189369,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01449{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":966,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365193903,"flow_dst_last_pkt_time":1578508365193933,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":698,"flow_dst_tot_l4_payload_len":623,"midstream":0,"thread_ts_usec":1578508365193933,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9310.3,"flow_max":51634,"flow_stddev":18596.5,"c_to_s_min":1,"c_to_s_avg":7453.0,"c_to_s_max":51634,"c_to_s_stddev":17246.8,"s_to_c_min":32,"s_to_c_avg":12405.8,"s_to_c_max":49528,"s_to_c_stddev":20276.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.5,"c_to_s_max":476,"c_to_s_stddev":90.4,"s_to_c_min":66,"s_to_c_avg":118.6,"s_to_c_max":448,"s_to_c_stddev":107.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01449{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":966,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365193903,"flow_dst_last_pkt_time":1578508365193933,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":698,"flow_dst_tot_l4_payload_len":623,"midstream":0,"thread_ts_usec":1578508365193933,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9603.5,"flow_max":51634,"flow_stddev":18821.1,"c_to_s_min":1,"c_to_s_avg":7833.6,"c_to_s_max":51634,"c_to_s_stddev":17612.8,"s_to_c_min":32,"s_to_c_avg":12405.8,"s_to_c_max":49528,"s_to_c_stddev":20276.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.5,"c_to_s_max":476,"c_to_s_stddev":90.4,"s_to_c_min":66,"s_to_c_avg":118.6,"s_to_c_max":448,"s_to_c_stddev":107.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":987,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365194618,"flow_src_last_pkt_time":1578508365194618,"flow_dst_last_pkt_time":1578508365194618,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365194618,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"202.112.28.106","src_port":56655,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":987,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365194618,"flow_dst_last_pkt_time":1578508365194618,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365194618,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGkX3AqAG4ynAcat1Pdl84sWAlAAAAALAC\/\/\/nsAAAAgQFtAEDAwUBAQgKItiWswAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1015,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365201994,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365201994,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGTYGwCYjRwKgBuHZf3UxCOLg9KLlL3KAScSB8NwAAAgQFrAQCCAqsVDbiItiWngEDAwc="} @@ -239,8 +239,8 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1018,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365210541,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADYGY+sj5PqMwKgBuHZf3UovaHbWeTxErqASbgBmbgAAAgQFjAQCCAqaQodaItiWjwEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1019,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365210643,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365210643,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGWfPAqAG4I+T6jN1Kdl95PESuL2h214AQECjytwAAAQEICiLYlsKaQoda"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1028,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365212245,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":462,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365212245,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1030,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508365008936,"flow_dst_last_pkt_time":1578508365219392,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":453,"flow_src_tot_l4_payload_len":690,"flow_dst_tot_l4_payload_len":517,"midstream":0,"thread_ts_usec":1578508365219392,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":37047.0,"flow_max":261804,"flow_stddev":85956.2,"c_to_s_min":6,"c_to_s_avg":23293.0,"c_to_s_max":261804,"c_to_s_stddev":71090.2,"s_to_c_min":3,"s_to_c_avg":63304.8,"s_to_c_max":261712,"s_to_c_stddev":103898.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":99.4,"c_to_s_max":516,"c_to_s_stddev":96.9,"s_to_c_min":60,"s_to_c_avg":113.2,"s_to_c_max":519,"s_to_c_stddev":128.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1043,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508365009640,"flow_dst_last_pkt_time":1578508365221428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508365221428,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":37130.5,"flow_max":263164,"flow_stddev":86158.6,"c_to_s_min":2,"c_to_s_avg":23326.5,"c_to_s_max":263164,"c_to_s_stddev":71245.6,"s_to_c_min":3,"s_to_c_avg":63483.5,"s_to_c_max":263094,"s_to_c_stddev":104146.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":102.4,"c_to_s_max":578,"c_to_s_stddev":109.7,"s_to_c_min":60,"s_to_c_avg":113.2,"s_to_c_max":525,"s_to_c_stddev":130.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1030,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508365008936,"flow_dst_last_pkt_time":1578508365219392,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":453,"flow_src_tot_l4_payload_len":690,"flow_dst_tot_l4_payload_len":517,"midstream":0,"thread_ts_usec":1578508365219392,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":38137.1,"flow_max":261804,"flow_stddev":87113.6,"c_to_s_min":6,"c_to_s_avg":24294.8,"c_to_s_max":261804,"c_to_s_stddev":72700.9,"s_to_c_min":3,"s_to_c_avg":63304.8,"s_to_c_max":261712,"s_to_c_stddev":103898.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":99.4,"c_to_s_max":516,"c_to_s_stddev":96.9,"s_to_c_min":60,"s_to_c_avg":113.2,"s_to_c_max":519,"s_to_c_stddev":128.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1043,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508365009640,"flow_dst_last_pkt_time":1578508365221428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508365221428,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":38221.0,"flow_max":263164,"flow_stddev":87319.6,"c_to_s_min":2,"c_to_s_avg":24326.6,"c_to_s_max":263164,"c_to_s_stddev":72861.0,"s_to_c_min":3,"s_to_c_avg":63483.5,"s_to_c_max":263094,"s_to_c_stddev":104146.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":102.4,"c_to_s_max":578,"c_to_s_stddev":109.7,"s_to_c_min":60,"s_to_c_avg":113.2,"s_to_c_max":525,"s_to_c_stddev":130.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1061,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365189114,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365223317,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGxFFV1mw0wKgBuHZf3U5vpmVtv4fCo6ASOJBjegAAAgQFrAQCCApls11ZItiWsAEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1062,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365223392,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365223392,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGtlnAqAG4VdZsNN1Odl+\/h8Kjb6ZlboAQECy6hQAAAQEICiLYls1ls11Z"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1071,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365189114,"flow_src_last_pkt_time":1578508365225314,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":508,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":508,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365225314,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"85.214.108.52","src_port":56654,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -248,9 +248,9 @@ 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1083,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365226088,"flow_dst_last_pkt_time":1578508365226088,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365226088,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGQk7AqAG4ikurvt1Rdl8erUWUAAAAALAC\/\/\/M9wAAAgQFtAEDAwUBAQgKItiW0AAAAAAEAgAA"} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1104,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365239758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365239758,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1104,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365239758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365239758,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGQhrAqAG4neaYV91Sdl9OT1qyAAAAALAC\/\/+H9wAAAgQFtAEDAwUBAQgKItiW2wAAAAAEAgAA"} -01446{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365225822,"flow_dst_last_pkt_time":1578508365257069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":417,"flow_dst_max_l4_payload_len":327,"flow_src_tot_l4_payload_len":657,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1578508365257069,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":5469.4,"flow_max":36541,"flow_stddev":12041.5,"c_to_s_min":2,"c_to_s_avg":4001.5,"c_to_s_max":36541,"c_to_s_stddev":10838.1,"s_to_c_min":11,"s_to_c_avg":7356.7,"s_to_c_max":33881,"s_to_c_stddev":13193.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.2,"c_to_s_max":483,"c_to_s_stddev":96.4,"s_to_c_min":60,"s_to_c_avg":91.5,"s_to_c_max":393,"s_to_c_stddev":84.4}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1171,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365271500,"flow_dst_last_pkt_time":1578508365271455,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":332,"flow_src_tot_l4_payload_len":810,"flow_dst_tot_l4_payload_len":780,"midstream":0,"thread_ts_usec":1578508365271500,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":12029.9,"flow_max":116020,"flow_stddev":25884.5,"c_to_s_min":10,"c_to_s_avg":9633.3,"c_to_s_max":116020,"c_to_s_stddev":25882.5,"s_to_c_min":5,"s_to_c_avg":16024.2,"s_to_c_max":91412,"s_to_c_stddev":25390.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":107.1,"c_to_s_max":540,"c_to_s_stddev":103.1,"s_to_c_min":66,"s_to_c_avg":131.7,"s_to_c_max":398,"s_to_c_stddev":115.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01447{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1188,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365239481,"flow_dst_last_pkt_time":1578508365271811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":492,"midstream":0,"thread_ts_usec":1578508365271811,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":5408.9,"flow_max":34994,"flow_stddev":12072.5,"c_to_s_min":1,"c_to_s_avg":3916.6,"c_to_s_max":34994,"c_to_s_stddev":10615.3,"s_to_c_min":7,"s_to_c_avg":7327.6,"s_to_c_max":33937,"s_to_c_stddev":13479.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":109.5,"c_to_s_max":597,"c_to_s_stddev":121.6,"s_to_c_min":60,"s_to_c_avg":98.3,"s_to_c_max":494,"s_to_c_stddev":110.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01446{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365225822,"flow_dst_last_pkt_time":1578508365257069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":417,"flow_dst_max_l4_payload_len":327,"flow_src_tot_l4_payload_len":657,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1578508365257069,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":5636.8,"flow_max":36541,"flow_stddev":12197.5,"c_to_s_min":2,"c_to_s_avg":4220.4,"c_to_s_max":36541,"c_to_s_stddev":11113.6,"s_to_c_min":11,"s_to_c_avg":7356.7,"s_to_c_max":33881,"s_to_c_stddev":13193.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.2,"c_to_s_max":483,"c_to_s_stddev":96.4,"s_to_c_min":60,"s_to_c_avg":91.5,"s_to_c_max":393,"s_to_c_stddev":84.4}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1171,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365271500,"flow_dst_last_pkt_time":1578508365271455,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":332,"flow_src_tot_l4_payload_len":810,"flow_dst_tot_l4_payload_len":780,"midstream":0,"thread_ts_usec":1578508365271500,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":12407.3,"flow_max":116020,"flow_stddev":26211.9,"c_to_s_min":10,"c_to_s_avg":10122.9,"c_to_s_max":116020,"c_to_s_stddev":26464.5,"s_to_c_min":5,"s_to_c_avg":16024.2,"s_to_c_max":91412,"s_to_c_stddev":25390.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":107.1,"c_to_s_max":540,"c_to_s_stddev":103.1,"s_to_c_min":66,"s_to_c_avg":131.7,"s_to_c_max":398,"s_to_c_stddev":115.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01447{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1188,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365239481,"flow_dst_last_pkt_time":1578508365271811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":492,"midstream":0,"thread_ts_usec":1578508365271811,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":5575.5,"flow_max":34994,"flow_stddev":12229.4,"c_to_s_min":1,"c_to_s_avg":4132.7,"c_to_s_max":34994,"c_to_s_stddev":10884.5,"s_to_c_min":7,"s_to_c_avg":7327.6,"s_to_c_max":33937,"s_to_c_stddev":13479.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":109.5,"c_to_s_max":597,"c_to_s_stddev":121.6,"s_to_c_min":60,"s_to_c_avg":98.3,"s_to_c_max":494,"s_to_c_stddev":110.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1189,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365271977,"flow_dst_last_pkt_time":1578508365271977,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365271977,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1189,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365271977,"flow_dst_last_pkt_time":1578508365271977,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365271977,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGLavAqAG4M6EXDN1Udl9XVw7PAAAAALAC\/\/+2RQAAAgQFtAEDAwUBAQgKItiW9wAAAAAEAgAA"} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1195,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365279592,"flow_dst_last_pkt_time":1578508365279592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365279592,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -259,13 +259,13 @@ 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1208,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365295537,"flow_dst_last_pkt_time":1578508365295537,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365295537,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGbF\/AqAG4I+XoE91Wdl\/o6wkCAAAAALAC\/\/9pGwAAAgQFtAEDAwUBAQgKItiXDAAAAAAEAgAA"} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1220,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365300081,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365300081,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365300081,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"124.217.235.180","src_port":56663,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1220,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365300081,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365300081,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGD8rAqAG4fNnrtN1Xdl9L2gYiAAAAALAC\/\/+scgAAAgQFtAEDAwUBAQgKItiXEAAAAAAEAgAA"} -01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1222,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364832618,"flow_src_last_pkt_time":1578508365154217,"flow_dst_last_pkt_time":1578508365304459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":413,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":653,"flow_dst_tot_l4_payload_len":469,"midstream":0,"thread_ts_usec":1578508365304459,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"162.228.29.160","src_port":56635,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":24802.3,"flow_max":159357,"flow_stddev":56268.5,"c_to_s_min":1,"c_to_s_avg":15325.4,"c_to_s_max":159357,"c_to_s_stddev":46478.3,"s_to_c_min":12,"s_to_c_avg":42894.6,"s_to_c_max":157669,"s_to_c_stddev":67732.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":97.7,"c_to_s_max":479,"c_to_s_stddev":89.4,"s_to_c_min":60,"s_to_c_avg":108.8,"s_to_c_max":471,"s_to_c_stddev":115.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1231,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508365188877,"flow_dst_last_pkt_time":1578508365309479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":490,"flow_src_tot_l4_payload_len":761,"flow_dst_tot_l4_payload_len":554,"midstream":0,"thread_ts_usec":1578508365309479,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":19774.3,"flow_max":130950,"flow_stddev":45601.4,"c_to_s_min":7,"c_to_s_avg":12811.9,"c_to_s_max":130950,"c_to_s_stddev":38023.0,"s_to_c_min":10,"s_to_c_avg":31378.3,"s_to_c_max":130846,"s_to_c_stddev":54039.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.7,"c_to_s_max":587,"c_to_s_stddev":114.0,"s_to_c_min":60,"s_to_c_avg":110.8,"s_to_c_max":556,"s_to_c_stddev":134.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1222,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364832618,"flow_src_last_pkt_time":1578508365154217,"flow_dst_last_pkt_time":1578508365304459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":413,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":653,"flow_dst_tot_l4_payload_len":469,"midstream":0,"thread_ts_usec":1578508365304459,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"162.228.29.160","src_port":56635,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":25594.8,"flow_max":159357,"flow_stddev":56992.8,"c_to_s_min":1,"c_to_s_avg":16080.0,"c_to_s_max":159357,"c_to_s_stddev":47500.4,"s_to_c_min":12,"s_to_c_avg":42894.6,"s_to_c_max":157669,"s_to_c_stddev":67732.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":97.7,"c_to_s_max":479,"c_to_s_stddev":89.4,"s_to_c_min":60,"s_to_c_avg":108.8,"s_to_c_max":471,"s_to_c_stddev":115.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1231,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508365188877,"flow_dst_last_pkt_time":1578508365309479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":490,"flow_src_tot_l4_payload_len":761,"flow_dst_tot_l4_payload_len":554,"midstream":0,"thread_ts_usec":1578508365309479,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":20402.5,"flow_max":130950,"flow_stddev":46194.5,"c_to_s_min":7,"c_to_s_avg":13470.4,"c_to_s_max":130950,"c_to_s_stddev":38899.5,"s_to_c_min":10,"s_to_c_avg":31378.3,"s_to_c_max":130846,"s_to_c_stddev":54039.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.7,"c_to_s_max":587,"c_to_s_stddev":114.0,"s_to_c_min":60,"s_to_c_avg":110.8,"s_to_c_max":556,"s_to_c_stddev":134.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00700{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1239,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365315790,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":192,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":192,"pkt_l4_len":158,"thread_ts_usec":1578508365315790,"pkt":"KDc3AG3IEBMx8Tl2CABFAACymwlAACMRP1cS26efwKgBuHZfdl8AnsFrVj4puAH6ZgARKbHJmno0oUTDSx6ME3WyQvgYFdLFf82IMxF0n+9n2kTCv9WKp0W5OWAeoQIHesUQlOhBZUox8XuUKjSw2r\/cLxIh6clEUwjRudwx4mptlXU2a3WMaDxBAALzy4RPFs69gun3gnZfoAez3OWZbA2U21K6mmqEcXi9Zewq23MX\/wTlxWTRncmbhF4WIGEK"} 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1240,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365315825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365315825,"pkt":"KDc3AG3IEBMx8Tl2CABFAACcmwpAACMRP2wS26efwKgBuHZfdl8AiLphceZOwZGufNXFAvXWI774ooc6PkwC6kxvzCm0BhiTs\/TWig3gE4P3+Y0lY\/Fll4rTUKnacLSuqKdSUAk7eTbz218E2dS8j3sLMJigll9ziTSt7jKgE6R7GxELpoJhO+ReAQHdBMuEEtunn4J2X4J2X8mETxbOvYLp94CEXhYgYQo="} -01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365327684,"flow_dst_last_pkt_time":1578508365329449,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":442,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1578508365329449,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":10935.9,"flow_max":57129,"flow_stddev":21953.6,"c_to_s_min":2,"c_to_s_avg":8710.9,"c_to_s_max":57129,"c_to_s_stddev":20149.1,"s_to_c_min":8,"s_to_c_avg":14644.2,"s_to_c_max":56823,"s_to_c_stddev":24219.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.1,"c_to_s_max":528,"c_to_s_stddev":101.3,"s_to_c_min":66,"s_to_c_avg":131.5,"s_to_c_max":508,"s_to_c_stddev":120.5}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01455{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1264,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523182,"flow_src_last_pkt_time":1578508365078877,"flow_dst_last_pkt_time":1578508365330913,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":382,"midstream":0,"thread_ts_usec":1578508365330913,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.108.67","src_port":56622,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":42713.2,"flow_max":300415,"flow_stddev":99047.3,"c_to_s_min":7,"c_to_s_avg":26623.5,"c_to_s_max":300415,"c_to_s_stddev":81383.5,"s_to_c_min":11,"s_to_c_avg":73430.1,"s_to_c_max":300373,"s_to_c_stddev":120237.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.3,"c_to_s_max":597,"c_to_s_stddev":113.6,"s_to_c_min":60,"s_to_c_avg":100.4,"s_to_c_max":384,"s_to_c_stddev":90.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01455{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1282,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523185,"flow_src_last_pkt_time":1578508365096272,"flow_dst_last_pkt_time":1578508365350710,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":471,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":711,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508365350710,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.81.28","src_port":56623,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":43875.4,"flow_max":308079,"flow_stddev":101271.0,"c_to_s_min":8,"c_to_s_avg":27451.8,"c_to_s_max":308079,"c_to_s_stddev":83546.3,"s_to_c_min":9,"s_to_c_avg":75229.5,"s_to_c_max":308002,"s_to_c_stddev":122522.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":100.4,"c_to_s_max":537,"c_to_s_stddev":101.2,"s_to_c_min":60,"s_to_c_avg":110.4,"s_to_c_max":488,"s_to_c_stddev":119.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365327684,"flow_dst_last_pkt_time":1578508365329449,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":442,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1578508365329449,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":11280.5,"flow_max":57129,"flow_stddev":22219.5,"c_to_s_min":2,"c_to_s_avg":9156.1,"c_to_s_max":57129,"c_to_s_stddev":20576.4,"s_to_c_min":8,"s_to_c_avg":14644.2,"s_to_c_max":56823,"s_to_c_stddev":24219.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.1,"c_to_s_max":528,"c_to_s_stddev":101.3,"s_to_c_min":66,"s_to_c_avg":131.5,"s_to_c_max":508,"s_to_c_stddev":120.5}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1264,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523182,"flow_src_last_pkt_time":1578508365078877,"flow_dst_last_pkt_time":1578508365330913,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":382,"midstream":0,"thread_ts_usec":1578508365330913,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.108.67","src_port":56622,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":43981.5,"flow_max":300415,"flow_stddev":100376.1,"c_to_s_min":7,"c_to_s_avg":27784.8,"c_to_s_max":300415,"c_to_s_stddev":83223.3,"s_to_c_min":11,"s_to_c_avg":73430.1,"s_to_c_max":300373,"s_to_c_stddev":120237.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.3,"c_to_s_max":597,"c_to_s_stddev":113.6,"s_to_c_min":60,"s_to_c_avg":100.4,"s_to_c_max":384,"s_to_c_stddev":90.3}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01455{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1282,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523185,"flow_src_last_pkt_time":1578508365096272,"flow_dst_last_pkt_time":1578508365350710,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":471,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":711,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508365350710,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.81.28","src_port":56623,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":45181.0,"flow_max":308079,"flow_stddev":102626.0,"c_to_s_min":8,"c_to_s_avg":28654.3,"c_to_s_max":308079,"c_to_s_stddev":85431.9,"s_to_c_min":9,"s_to_c_avg":75229.5,"s_to_c_max":308002,"s_to_c_stddev":122522.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":100.4,"c_to_s_max":537,"c_to_s_stddev":101.2,"s_to_c_min":60,"s_to_c_avg":110.4,"s_to_c_max":488,"s_to_c_stddev":119.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365408726,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":129,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365408726,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1578508365408726,"pkt":"KDc3AG3IEBMx8Tl2CABFAACdhY9AAC4RWjq3gfKkwKgBuAQAdl8AiS5Y3VkKujBE9K5giYMoNotbt65xxd7ko3VSXKgTCSaupxKnp71rmT0XRsX6xoF5macEurqmdfib0\/9m0ybRIVy\/Qzz+\/\/zwyKtEHKyC9Xjjwvc8TLpzNetXjDWFS0pbC\/Z0AQHeBcuErBRsfYJ2X4J2X8uETxbOvYLp94J2X4ReFiBh"} 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365408726,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":129,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365408726,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -277,7 +277,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1321,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365419060,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADAGUh6d5phXwKgBuHZf3VIVkuQhTk9as6AScSDAlwAAAgQFrAQCCAq827CpItiW2wEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1322,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365419127,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365419127,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGQibAqAG4neaYV91Sdl9OT1qzFZLkIoAQECxPsAAAAQEICiLYl3u827Cp"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1323,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365420924,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":583,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365420924,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1325,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522826,"flow_src_last_pkt_time":1578508365153717,"flow_dst_last_pkt_time":1578508365439333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":574,"flow_dst_max_l4_payload_len":396,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":460,"midstream":0,"thread_ts_usec":1578508365439333,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"165.22.107.33","src_port":56610,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":48451.2,"flow_max":339297,"flow_stddev":112132.1,"c_to_s_min":2,"c_to_s_avg":30187.3,"c_to_s_max":339297,"c_to_s_stddev":92373.4,"s_to_c_min":6,"s_to_c_avg":83318.8,"s_to_c_max":339196,"s_to_c_stddev":135776.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":105.3,"c_to_s_max":640,"c_to_s_stddev":122.5,"s_to_c_min":60,"s_to_c_avg":107.5,"s_to_c_max":462,"s_to_c_stddev":112.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1325,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522826,"flow_src_last_pkt_time":1578508365153717,"flow_dst_last_pkt_time":1578508365439333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":574,"flow_dst_max_l4_payload_len":396,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":460,"midstream":0,"thread_ts_usec":1578508365439333,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"165.22.107.33","src_port":56610,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":49916.1,"flow_max":339297,"flow_stddev":113624.6,"c_to_s_min":2,"c_to_s_avg":31544.6,"c_to_s_max":339297,"c_to_s_stddev":94450.0,"s_to_c_min":6,"s_to_c_avg":83318.8,"s_to_c_max":339196,"s_to_c_stddev":135776.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":105.3,"c_to_s_max":640,"c_to_s_stddev":122.5,"s_to_c_min":60,"s_to_c_avg":107.5,"s_to_c_max":462,"s_to_c_stddev":112.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1339,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365279592,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365458807,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwG2AY0CYBEwKgBuHZf3VXR7JfX7e3rXKASaN9TlwAAAgQFrAQCCAqDIEEYItiW\/gEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1340,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365458850,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365458850,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGxBbAqAG4NAmARN1Vdl\/t7etc0eyX2IAQECzabQAAAQEICiLYl5+DIEEY"} 00984{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1341,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365460380,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":472,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365460380,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -290,7 +290,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1346,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365226088,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365485758,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC0GVVKKS6u+wKgBuHZf3VEGdfqIHq1FlaAS\/og\/VgAAAgQFrAQCCAqkAfsSItiW0AEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1347,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365485867,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365485867,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGQlrAqAG4ikurvt1Rdl8erUWVBnX6iYAQECxbjgAAAQEICiLYl7mkAfsS"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1348,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365487180,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":539,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365487180,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1350,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508365197191,"flow_dst_last_pkt_time":1578508365510722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":451,"flow_src_tot_l4_payload_len":765,"flow_dst_tot_l4_payload_len":515,"midstream":0,"thread_ts_usec":1578508365510722,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":52030.8,"flow_max":354597,"flow_stddev":120422.6,"c_to_s_min":7,"c_to_s_avg":32257.5,"c_to_s_max":354597,"c_to_s_stddev":98614.8,"s_to_c_min":12,"s_to_c_avg":89779.7,"s_to_c_max":354503,"s_to_c_stddev":146456.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.0,"c_to_s_max":591,"c_to_s_stddev":112.4,"s_to_c_min":60,"s_to_c_avg":113.0,"s_to_c_max":517,"s_to_c_stddev":128.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01458{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1350,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508365197191,"flow_dst_last_pkt_time":1578508365510722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":451,"flow_src_tot_l4_payload_len":765,"flow_dst_tot_l4_payload_len":515,"midstream":0,"thread_ts_usec":1578508365510722,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":53600.7,"flow_max":354597,"flow_stddev":122026.8,"c_to_s_min":7,"c_to_s_avg":33702.3,"c_to_s_max":354597,"c_to_s_stddev":100832.9,"s_to_c_min":12,"s_to_c_avg":89779.7,"s_to_c_max":354503,"s_to_c_stddev":146456.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.0,"c_to_s_max":591,"c_to_s_stddev":112.4,"s_to_c_min":60,"s_to_c_avg":113.0,"s_to_c_max":517,"s_to_c_stddev":128.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365567882,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365567882,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365567882,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcHIoAAEARCbPAqAG4agwnqHZfdn0AiGszdDnl2LgHwUzwnp\/NUaAjl2\/6ukAyoGtKBC9U9NcJJ2SSjY1bIBQONPG3UmfcMXvTBTN6oZMu6GXIBxr9UadDckfonN6CsHl3H7EBI7wV8mnDuf+AbUa\/i02tPDo+DL09AAHdBMuEfwAAAYJ2X4J2X8mEagwnqIJ2fYCEXhYgYQU="} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365567882,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365567882,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -314,13 +314,13 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1463,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365688431,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwGI8Z82eu0wKgBuHZf3VfxiPe9S9oGI6AScSAoCwAAAgQFrAQCCArI+HIBItiXEAEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1464,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365688547,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365688547,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGD9bAqAG4fNnrtN1Xdl9L2gYj8Yj3voAQECy2XAAAAQEICiLYmHfI+HIB"} 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1465,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365300081,"flow_src_last_pkt_time":1578508365690049,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":545,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":545,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365690049,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"124.217.235.180","src_port":56663,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1470,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365699150,"flow_dst_last_pkt_time":1578508365699343,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":573,"flow_dst_max_l4_payload_len":421,"flow_src_tot_l4_payload_len":861,"flow_dst_tot_l4_payload_len":662,"midstream":0,"thread_ts_usec":1578508365699343,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":26712.4,"flow_max":147323,"flow_stddev":53577.6,"c_to_s_min":2,"c_to_s_avg":21371.6,"c_to_s_max":147323,"c_to_s_stddev":49530.6,"s_to_c_min":7,"s_to_c_avg":35613.8,"s_to_c_max":141731,"s_to_c_stddev":58645.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":109.7,"c_to_s_max":639,"c_to_s_stddev":124.7,"s_to_c_min":66,"s_to_c_avg":121.8,"s_to_c_max":487,"s_to_c_stddev":117.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1470,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365699150,"flow_dst_last_pkt_time":1578508365699343,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":573,"flow_dst_max_l4_payload_len":421,"flow_src_tot_l4_payload_len":861,"flow_dst_tot_l4_payload_len":662,"midstream":0,"thread_ts_usec":1578508365699343,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":27565.8,"flow_max":147323,"flow_stddev":54220.4,"c_to_s_min":2,"c_to_s_avg":22482.8,"c_to_s_max":147323,"c_to_s_stddev":50573.8,"s_to_c_min":7,"s_to_c_avg":35613.8,"s_to_c_max":141731,"s_to_c_stddev":58645.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":109.7,"c_to_s_max":639,"c_to_s_stddev":124.7,"s_to_c_min":66,"s_to_c_avg":121.8,"s_to_c_max":487,"s_to_c_stddev":117.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1484,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365701530,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365701530,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1484,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365701530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365701530,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG7OLAqAG4i6L\/0t1gdl\/B\/P6FAAAAALAC\/\/8ZigAAAgQFtAEDAwUBAQgKItiYggAAAAAEAgAA"} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1517,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508365712625,"flow_dst_last_pkt_time":1578508365712625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365712625,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1517,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365712625,"flow_dst_last_pkt_time":1578508365712625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365712625,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGlo3AqAG4Ti+Tm91hdl8xKZuYAAAAALAC\/\/+26gAAAgQFtAEDAwUBAQgKItiYjAAAAAAEAgAA"} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1521,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365736342,"flow_dst_last_pkt_time":1578508364732443,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"thread_ts_usec":1578508365736342,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHpIMAAEARoqnAqAG4b+UAtHZfTtYAsxSK2l5Lj\/FNPSwNskN7KXHg69sINFX5NaCleeEwgXwmONn61xupKUye1QOfHD1DMyDw8Rv4bxSGME4AJ9XC7q+0Pwz+NqNAUtNYGL1TDF+F5wROIhyoide5OcgIFnuRD6baAQP4R7hAggEUSZWpWZm0YK3HCqZiBR7sHJ3wp8USPzyX73HGoWVqts4UjRd8TfDxZuCIPe7jI\/CXMWJB7l7pTCCyfJvg8YReFiBh"} -01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1532,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":62,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1578508365592330,"flow_src_last_pkt_time":1578508365741203,"flow_dst_last_pkt_time":1578508365740945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":364,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":812,"midstream":0,"thread_ts_usec":1578508365741203,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"86.107.243.62","src_port":56671,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":10036.5,"flow_max":39189,"flow_stddev":15960.4,"c_to_s_min":6,"c_to_s_avg":7189.8,"c_to_s_max":39189,"c_to_s_stddev":13920.0,"s_to_c_min":256,"s_to_c_avg":18576.9,"s_to_c_max":39176,"s_to_c_stddev":18449.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":105.2,"c_to_s_max":606,"c_to_s_stddev":107.6,"s_to_c_min":66,"s_to_c_avg":168.5,"s_to_c_max":430,"s_to_c_stddev":136.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01450{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1532,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":62,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1578508365592330,"flow_src_last_pkt_time":1578508365741203,"flow_dst_last_pkt_time":1578508365740945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":364,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":812,"midstream":0,"thread_ts_usec":1578508365741203,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"86.107.243.62","src_port":56671,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":9596.4,"flow_max":39189,"flow_stddev":16023.4,"c_to_s_min":6,"c_to_s_avg":6472.7,"c_to_s_max":39189,"c_to_s_stddev":13778.7,"s_to_c_min":256,"s_to_c_avg":18576.9,"s_to_c_max":39176,"s_to_c_stddev":18449.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":105.2,"c_to_s_max":606,"c_to_s_stddev":107.6,"s_to_c_min":66,"s_to_c_avg":168.5,"s_to_c_max":430,"s_to_c_stddev":136.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1536,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365741903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365741903,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1536,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365741903,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365741903,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG4nHAqAG4XkQ3ot1idl9YCAHzAAAAALAC\/\/91dwAAAgQFtAEDAwUBAQgKItiYqQAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1539,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365742943,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365742943,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIG+uaLov\/SwKgBuHZf3WDeocLiwfz+hqAS\/ogDJwAAAgQFrAQCCArjm6OzItiYggEDAwc="} @@ -335,16 +335,16 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1582,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":66,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365777046,"flow_dst_last_pkt_time":1578508365776923,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365777046,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGLqHAqAG4I+sl2N1jdl9d8bOcqknE0YAQECyPmwAAAQEICiLYmMg1IQWk"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365751805,"flow_src_last_pkt_time":1578508365778282,"flow_dst_last_pkt_time":1578508365776923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":530,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365778282,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.235.37.216","src_port":56675,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1586,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365781990,"flow_dst_last_pkt_time":1578508364776411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"thread_ts_usec":1578508365781990,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHjqoAAEARyLjAqAG40WGPAXZfw1AAs7BF2l5Lj\/FNPSwNskN7KXHg69sINFX5NaCleeEwgXwmONn61xupKUye1QOfHD1DMyDw8Rv4bxSGME4AJ9XC7q+0Pwz+NqNAUtNYGL1TDF+F5wROIhyoide5OcgIFnuRD6baAQP4R7hAggEUSZWpWZm0YK3HCqZiBR7sHJ3wp8USPzyX73HGoWVqts4UjRd8TfDxZuCIPe7jI\/CXMWJB7l7pTCCyfJvg8YReFiBh"} -01455{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1589,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365782730,"flow_dst_last_pkt_time":1578508365782698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":391,"flow_src_tot_l4_payload_len":871,"flow_dst_tot_l4_payload_len":648,"midstream":0,"thread_ts_usec":1578508365782730,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":33944.7,"flow_max":184362,"flow_stddev":70166.1,"c_to_s_min":8,"c_to_s_avg":27164.6,"c_to_s_max":182759,"c_to_s_stddev":64176.6,"s_to_c_min":9,"s_to_c_avg":45245.0,"s_to_c_max":184362,"s_to_c_stddev":77846.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.2,"c_to_s_max":649,"c_to_s_stddev":127.0,"s_to_c_min":66,"s_to_c_avg":120.7,"s_to_c_max":457,"s_to_c_stddev":110.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01455{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1589,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365782730,"flow_dst_last_pkt_time":1578508365782698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":391,"flow_src_tot_l4_payload_len":871,"flow_dst_tot_l4_payload_len":648,"midstream":0,"thread_ts_usec":1578508365782730,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":35029.4,"flow_max":184362,"flow_stddev":71024.3,"c_to_s_min":8,"c_to_s_avg":28577.5,"c_to_s_max":182759,"c_to_s_stddev":65539.9,"s_to_c_min":9,"s_to_c_avg":45245.0,"s_to_c_max":184362,"s_to_c_stddev":77846.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.2,"c_to_s_max":649,"c_to_s_stddev":127.0,"s_to_c_min":66,"s_to_c_avg":120.7,"s_to_c_max":457,"s_to_c_stddev":110.1}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365813172,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADAG8nVeRDeiwKgBuHZf3WKbomHRWAgB9KAScSDEJQAAAgQFrAQCCAppF+qfItiYqQEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1646,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365813279,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365813279,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG4n3AqAG4XkQ3ot1idl9YCAH0m6Jh0oAQECxToAAAAQEICiLYmOdpF+qf"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1647,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365814591,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365814591,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1664,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365828265,"flow_src_last_pkt_time":1578508365828265,"flow_dst_last_pkt_time":1578508365828265,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365828265,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.251.14.199","src_port":56678,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1664,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365828265,"flow_dst_last_pkt_time":1578508365828265,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365828265,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGW5bAqAG4DfsOx91mdl9PCwRhAAAAALAC\/\/\/02wAAAgQFtAEDAwUBAQgKItiY9AAAAAAEAgAA"} -01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1665,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365787932,"flow_dst_last_pkt_time":1578508365828317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":356,"flow_src_tot_l4_payload_len":626,"flow_dst_tot_l4_payload_len":420,"midstream":0,"thread_ts_usec":1578508365828317,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":6675.7,"flow_max":42383,"flow_stddev":14912.6,"c_to_s_min":8,"c_to_s_avg":4824.2,"c_to_s_max":42119,"c_to_s_stddev":13073.1,"s_to_c_min":11,"s_to_c_avg":9056.2,"s_to_c_max":42383,"s_to_c_stddev":16688.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.4,"c_to_s_max":452,"c_to_s_stddev":89.6,"s_to_c_min":60,"s_to_c_avg":93.6,"s_to_c_max":422,"s_to_c_stddev":91.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01448{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1665,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365787932,"flow_dst_last_pkt_time":1578508365828317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":356,"flow_src_tot_l4_payload_len":626,"flow_dst_tot_l4_payload_len":420,"midstream":0,"thread_ts_usec":1578508365828317,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":6877.1,"flow_max":42383,"flow_stddev":15108.4,"c_to_s_min":8,"c_to_s_avg":5082.5,"c_to_s_max":42119,"c_to_s_stddev":13407.4,"s_to_c_min":11,"s_to_c_avg":9056.2,"s_to_c_max":42383,"s_to_c_stddev":16688.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.4,"c_to_s_max":452,"c_to_s_stddev":89.6,"s_to_c_min":60,"s_to_c_avg":93.6,"s_to_c_max":422,"s_to_c_stddev":91.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1691,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":68,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365846680,"flow_src_last_pkt_time":1578508365846680,"flow_dst_last_pkt_time":1578508365846680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365846680,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.158.52","src_port":56679,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1691,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":68,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365846680,"flow_dst_last_pkt_time":1578508365846680,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365846680,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGtj\/AqAG4I+SeNN1ndl9FuX9aAAAAALAC\/\/\/dzAAAAgQFtAEDAwUBAQgKItiZBAAAAAAEAgAA"} -01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1700,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365851788,"flow_dst_last_pkt_time":1578508365851734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":760,"flow_dst_tot_l4_payload_len":764,"midstream":0,"thread_ts_usec":1578508365851788,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":36006.1,"flow_max":194120,"flow_stddev":73423.6,"c_to_s_min":9,"c_to_s_avg":29002.7,"c_to_s_max":194120,"c_to_s_stddev":67104.2,"s_to_c_min":17,"s_to_c_avg":47678.5,"s_to_c_max":193755,"s_to_c_stddev":81566.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.6,"c_to_s_max":538,"c_to_s_stddev":103.3,"s_to_c_min":66,"s_to_c_avg":130.3,"s_to_c_max":494,"s_to_c_stddev":116.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01453{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1700,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365851788,"flow_dst_last_pkt_time":1578508365851734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":760,"flow_dst_tot_l4_payload_len":764,"midstream":0,"thread_ts_usec":1578508365851788,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":36914.1,"flow_max":194120,"flow_stddev":74421.4,"c_to_s_min":9,"c_to_s_avg":30115.6,"c_to_s_max":194120,"c_to_s_stddev":68667.4,"s_to_c_min":17,"s_to_c_avg":47678.5,"s_to_c_max":193755,"s_to_c_stddev":81566.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":104.6,"c_to_s_max":538,"c_to_s_stddev":103.3,"s_to_c_min":66,"s_to_c_avg":130.3,"s_to_c_max":494,"s_to_c_stddev":116.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1710,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365852452,"flow_src_last_pkt_time":1578508365852452,"flow_dst_last_pkt_time":1578508365852452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365852452,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.59.17.58","src_port":56680,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1710,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365852452,"flow_dst_last_pkt_time":1578508365852452,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365852452,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG3OLAqAG4ijsROt1odl\/ttHvbAAAAALAC\/\/9f7QAAAgQFtAEDAwUBAQgKItiZCQAAAAAEAgAA"} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1750,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365885366,"flow_src_last_pkt_time":1578508365885366,"flow_dst_last_pkt_time":1578508365885366,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365885366,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"207.180.206.216","src_port":56681,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -360,10 +360,10 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1776,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365926010,"flow_dst_last_pkt_time":1578508365925923,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365926010,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG2dbAqAG4z7TO2N1pdl+dzwtnJw8AtoAQECw5oAAAAQEICiLYmUxcfI6d"} 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1777,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365885366,"flow_src_last_pkt_time":1578508365927412,"flow_dst_last_pkt_time":1578508365925923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365927412,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"207.180.206.216","src_port":56681,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00695{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1780,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":71,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365919739,"flow_dst_last_pkt_time":1578508365951357,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":189,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":189,"pkt_l4_len":155,"thread_ts_usec":1578508365951357,"pkt":"KDc3AG3IEBMx8Tl2CABFAACvrTpAADMRthqnVnoywKgBuHZfdl8AmyGXAff4avCCJKd8iLkYnGp5WBGcR5kwKjaGYfuGK7O5Pxha3PZrVargsE3sp+V969kCE0ZShXRyP212X0\/ogX+KLxU0BMrg9yur0MCSn4OC+hF8e78p1SovnEhcJv1j5UvsAALwyYSnVnoygnZfgKByZEv+wn4eYEUXuf5R8Qoku8N0GB0rNIQImrGkxu4BYoReFiBh"} -01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1796,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365961141,"flow_dst_last_pkt_time":1578508365961206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":504,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":840,"midstream":0,"thread_ts_usec":1578508365961206,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":13724.6,"flow_max":75129,"flow_stddev":28002.1,"c_to_s_min":7,"c_to_s_avg":10994.2,"c_to_s_max":74778,"c_to_s_stddev":25622.1,"s_to_c_min":15,"s_to_c_avg":18275.2,"s_to_c_max":75129,"s_to_c_stddev":31043.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":108.3,"c_to_s_max":613,"c_to_s_stddev":119.2,"s_to_c_min":66,"s_to_c_avg":136.7,"s_to_c_max":570,"s_to_c_stddev":136.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01451{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1796,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365961141,"flow_dst_last_pkt_time":1578508365961206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":504,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":840,"midstream":0,"thread_ts_usec":1578508365961206,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":14146.5,"flow_max":75129,"flow_stddev":28349.9,"c_to_s_min":7,"c_to_s_avg":11538.8,"c_to_s_max":74778,"c_to_s_stddev":26174.6,"s_to_c_min":15,"s_to_c_avg":18275.2,"s_to_c_max":75129,"s_to_c_stddev":31043.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":108.3,"c_to_s_max":613,"c_to_s_stddev":119.2,"s_to_c_min":66,"s_to_c_avg":136.7,"s_to_c_max":570,"s_to_c_stddev":136.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1835,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508366005550,"flow_src_last_pkt_time":1578508366005550,"flow_dst_last_pkt_time":1578508366005550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366005550,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.83.237.44","src_port":56684,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1835,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":72,"flow_packet_id":1,"flow_src_last_pkt_time":1578508366005550,"flow_dst_last_pkt_time":1578508366005550,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366005550,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGV9jAqAG4M1PtLN1sdl8dp4x2AAAAALAC\/\/+ZwwAAAgQFtAEDAwUBAQgKItiZlwAAAAAEAgAA"} -01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1847,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366012044,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":40989.7,"flow_max":263115,"flow_stddev":94601.3,"c_to_s_min":10,"c_to_s_avg":30924.4,"c_to_s_max":263115,"c_to_s_stddev":84177.4,"s_to_c_min":8,"s_to_c_avg":52397.1,"s_to_c_max":261414,"s_to_c_stddev":104002.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":112.5,"c_to_s_max":605,"c_to_s_stddev":126.5,"s_to_c_min":60,"s_to_c_avg":97.4,"s_to_c_max":525,"s_to_c_stddev":115.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1847,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366012044,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":42302.9,"flow_max":263115,"flow_stddev":95827.5,"c_to_s_min":10,"c_to_s_avg":32839.6,"c_to_s_max":263115,"c_to_s_stddev":86408.0,"s_to_c_min":8,"s_to_c_avg":52397.1,"s_to_c_max":261414,"s_to_c_stddev":104002.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":112.5,"c_to_s_max":605,"c_to_s_stddev":126.5,"s_to_c_min":60,"s_to_c_avg":97.4,"s_to_c_max":525,"s_to_c_stddev":115.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1857,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508366020357,"flow_src_last_pkt_time":1578508366020357,"flow_dst_last_pkt_time":1578508366020357,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366020357,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"88.99.93.219","src_port":56685,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1857,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":1,"flow_src_last_pkt_time":1578508366020357,"flow_dst_last_pkt_time":1578508366020357,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366020357,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGwhnAqAG4WGNd291tdl+CSdQcAAAAALAC\/\/9XrgAAAgQFtAEDAwUBAQgKItiZpAAAAAAEAgAA"} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1862,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_src_last_pkt_time":1578508366029471,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366029471,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGjuvAqAG4I+nFg909dl+ptEcpAAAAALAC\/\/+KMAAAAgQFtAEDAwUBAQgKItiZrAAAAAAEAgAA"} @@ -384,7 +384,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1968,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":2,"flow_src_last_pkt_time":1578508366073881,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508366117663,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGSnvOvWsjwKgBuHZf3W6FBUsAADkpP6AScSCofQAAAgQFrAQCCApn2sBGItiZ0wEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1969,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":3,"flow_src_last_pkt_time":1578508366117769,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508366117769,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGPoPAqAG4zr1rI91udl8AOSk\/hQVLAYAQECw4DwAAAQEICiLYmfpn2sBG"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1970,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508366073881,"flow_src_last_pkt_time":1578508366119559,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":407,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":407,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366119559,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"206.189.107.35","src_port":56686,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1983,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508366123630,"flow_dst_last_pkt_time":1578508366123331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":567,"flow_dst_max_l4_payload_len":347,"flow_src_tot_l4_payload_len":951,"flow_dst_tot_l4_payload_len":859,"midstream":0,"thread_ts_usec":1578508366123630,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":25700.5,"flow_max":285939,"flow_stddev":64414.8,"c_to_s_min":12,"c_to_s_avg":17900.4,"c_to_s_max":285939,"c_to_s_stddev":58701.5,"s_to_c_min":235,"s_to_c_avg":45634.0,"s_to_c_max":246535,"s_to_c_stddev":73443.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":108.4,"c_to_s_max":633,"c_to_s_stddev":114.8,"s_to_c_min":66,"s_to_c_avg":162.3,"s_to_c_max":413,"s_to_c_stddev":125.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1983,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508366123630,"flow_dst_last_pkt_time":1578508366123331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":567,"flow_dst_max_l4_payload_len":347,"flow_src_tot_l4_payload_len":951,"flow_dst_tot_l4_payload_len":859,"midstream":0,"thread_ts_usec":1578508366123630,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":26506.8,"flow_max":285939,"flow_stddev":65286.3,"c_to_s_min":12,"c_to_s_avg":18682.0,"c_to_s_max":285939,"c_to_s_stddev":59903.7,"s_to_c_min":235,"s_to_c_avg":45634.0,"s_to_c_max":246535,"s_to_c_stddev":73443.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":108.4,"c_to_s_max":633,"c_to_s_stddev":114.8,"s_to_c_min":66,"s_to_c_avg":162.3,"s_to_c_max":413,"s_to_c_stddev":125.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":16,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012064,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01024{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365852452,"flow_src_last_pkt_time":1578508366055031,"flow_dst_last_pkt_time":1578508366053699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":447,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":447,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.59.17.58","src_port":56680,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":27,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365195126,"flow_dst_last_pkt_time":1578508365241563,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":798,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} diff --git a/test/results/exe_download.pcap.out b/test/results/exe_download.pcap.out index 9857c9685..1de763030 100644 --- a/test/results/exe_download.pcap.out +++ b/test/results/exe_download.pcap.out @@ -6,7 +6,7 @@ 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569434051324323,"flow_dst_last_pkt_time":1569434051324116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1569434051324323,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoALJAAIAGAJIKCRllkFtFw8ANAFC+hvgfPu\/YuVAQ+vAsqgAA"} 01243{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051324979,"flow_dst_last_pkt_time":1569434051324116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569434051324979,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"144.91.69.195","http": {"url":"144.91.69.195\/solar.php","code":0,"content_type":"","user_agent":"pwtyyEKzNtGatwnJjmCcBLbOveCVpc"}}} 01398{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051324979,"flow_dst_last_pkt_time":1569434051623372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1569434051623372,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"144.91.69.195","http": {"url":"144.91.69.195\/solar.php","code":200,"content_type":"application\/octet-stream","user_agent":"pwtyyEKzNtGatwnJjmCcBLbOveCVpc"}}} -01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051966172,"flow_dst_last_pkt_time":1569434051966041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":25896,"midstream":0,"thread_ts_usec":1569434051966172,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":45730036.0,"flow_max":1461438572,"flow_stddev":254268784.0,"c_to_s_min":207,"c_to_s_avg":132945456.0,"c_to_s_max":1461438572,"c_to_s_stddev":420106432.0,"s_to_c_min":7,"s_to_c_avg":45773.6,"s_to_c_max":319320,"s_to_c_stddev":107172.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":69.0,"c_to_s_max":207,"c_to_s_stddev":43.8,"s_to_c_min":54,"s_to_c_avg":1287.3,"s_to_c_max":1514,"s_to_c_stddev":411.6}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01691{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051966172,"flow_dst_last_pkt_time":1569434051966041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":25896,"midstream":0,"thread_ts_usec":1569434051966172,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":62020.0,"flow_max":319527,"flow_stddev":115050.4,"c_to_s_min":207,"c_to_s_avg":96137.6,"c_to_s_max":319527,"c_to_s_stddev":123266.6,"s_to_c_min":7,"s_to_c_avg":45773.6,"s_to_c_max":319320,"s_to_c_stddev":107172.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":69.0,"c_to_s_max":207,"c_to_s_stddev":43.8,"s_to_c_min":54,"s_to_c_avg":1287.3,"s_to_c_max":1514,"s_to_c_stddev":411.6}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01266{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":703,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":203,"flow_dst_packets_processed":500,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434056186340,"flow_dst_last_pkt_time":1569434056096541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":679332,"midstream":0,"thread_ts_usec":1569434056186340,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00569{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":703,"source":"exe_download.pcap","alias":"nDPId-test","packets-captured":703,"packets-processed":703,"total-skipped-flows":0,"total-l4-payload-len":679485,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1569434056186340} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 122143/122143 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 483 chars -~~ json string max len.......: 1717 chars -~~ json string avg len.......: 1067 chars +~~ json string max len.......: 1696 chars +~~ json string avg len.......: 1057 chars diff --git a/test/results/exe_download_as_png.pcap.out b/test/results/exe_download_as_png.pcap.out index 2612b3ee8..2f37642a4 100644 --- a/test/results/exe_download_as_png.pcap.out +++ b/test/results/exe_download_as_png.pcap.out @@ -6,7 +6,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569434903440784,"flow_dst_last_pkt_time":1569434903440451,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1569434903440784,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoBlJAAIAGv\/QKCRlluWJXucAtAFB7PMGXLy4K1lAQ+vBJBAAA"} 01126{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434903441012,"flow_dst_last_pkt_time":1569434903440451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569434903441012,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"185.98.87.185","http": {"url":"185.98.87.185\/tablone.png","code":0,"content_type":"","user_agent":"WinHTTP loader\/1.0"}}} 01261{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434903441012,"flow_dst_last_pkt_time":1569434904053845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1569434904053845,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"185.98.87.185","http": {"url":"185.98.87.185\/tablone.png","code":200,"content_type":"image\/png","user_agent":"WinHTTP loader\/1.0"}}} -01601{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434904481632,"flow_dst_last_pkt_time":1569434904508320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":25916,"midstream":0,"thread_ts_usec":1569434904508320,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":72386984.0,"flow_max":2313474074,"flow_stddev":402511168.0,"c_to_s_min":228,"c_to_s_avg":210446848.0,"c_to_s_max":2313474074,"c_to_s_stddev":665035648.0,"s_to_c_min":12,"s_to_c_avg":69905.8,"s_to_c_max":612677,"s_to_c_stddev":170166.3},"pktlen": {"c_to_s_min":54,"c_to_s_avg":68.6,"c_to_s_max":203,"c_to_s_stddev":42.6,"s_to_c_min":54,"s_to_c_avg":1288.3,"s_to_c_max":1514,"s_to_c_stddev":400.9}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01581{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434904481632,"flow_dst_last_pkt_time":1569434904508320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":25916,"midstream":0,"thread_ts_usec":1569434904508320,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":93850.2,"flow_max":613012,"flow_stddev":192589.9,"c_to_s_min":228,"c_to_s_avg":144133.4,"c_to_s_max":613012,"c_to_s_stddev":224589.6,"s_to_c_min":12,"s_to_c_avg":69905.8,"s_to_c_max":612677,"s_to_c_stddev":170166.3},"pktlen": {"c_to_s_min":54,"c_to_s_avg":68.6,"c_to_s_max":203,"c_to_s_stddev":42.6,"s_to_c_min":54,"s_to_c_avg":1288.3,"s_to_c_max":1514,"s_to_c_stddev":400.9}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01153{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":534,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":163,"flow_dst_packets_processed":371,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434972556095,"flow_dst_last_pkt_time":1569434912545467,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":299,"flow_dst_tot_l4_payload_len":500298,"midstream":0,"thread_ts_usec":1569434972556095,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00576{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":534,"source":"exe_download_as_png.pcap","alias":"nDPId-test","packets-captured":534,"packets-processed":534,"total-skipped-flows":0,"total-l4-payload-len":500597,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1569434972556095} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121973/121973 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1606 chars -~~ json string avg len.......: 1016 chars +~~ json string max len.......: 1586 chars +~~ json string avg len.......: 1007 chars diff --git a/test/results/facebook.pcap.out b/test/results/facebook.pcap.out index 2ed7aa292..9415a16fa 100644 --- a/test/results/facebook.pcap.out +++ b/test/results/facebook.pcap.out @@ -13,7 +13,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1472393123682902,"flow_dst_last_pkt_time":1472393123682883,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1472393123682902,"pkt":"mAyC0zx8MFLLbJwbCABFAAA0dR5AAEAGZLrAqCsSHw1WJK5GAbsvASg+cOnYd4AQAOVhEgAAAQEICgBLXUglRdDW"} 01068{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393123683095,"flow_dst_last_pkt_time":1472393123682883,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1472393123683095,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.facebook.com","tls": {"version":"TLSv1.2","ja3":"5c60e71f1b8cd40e4d40ed5b6d666e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,spdy\/3.1,http\/1.1"}}} 01128{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393123683095,"flow_dst_last_pkt_time":1472393123838069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":146,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1472393123838069,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.facebook.com","tls": {"version":"TLSv1.2","ja3":"5c60e71f1b8cd40e4d40ed5b6d666e3f","ja3s":"96681175a9547081bf3d417f1a572091","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,spdy\/3.1,http\/1.1"}}} -01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124118414,"flow_dst_last_pkt_time":1472393124118402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":992,"flow_dst_tot_l4_payload_len":15090,"midstream":0,"thread_ts_usec":1472393124118414,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":193,"flow_avg":52887.2,"flow_max":557106,"flow_stddev":106998.6,"c_to_s_min":193,"c_to_s_avg":80339.6,"c_to_s_max":557106,"c_to_s_stddev":144661.1,"s_to_c_min":418,"s_to_c_avg":31535.3,"s_to_c_max":154701,"s_to_c_stddev":55088.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":137.4,"c_to_s_max":583,"c_to_s_stddev":157.9,"s_to_c_min":66,"s_to_c_avg":904.8,"s_to_c_max":1454,"s_to_c_stddev":625.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124118414,"flow_dst_last_pkt_time":1472393124118402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":992,"flow_dst_tot_l4_payload_len":15090,"midstream":0,"thread_ts_usec":1472393124118414,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":193,"flow_avg":36622.1,"flow_max":154982,"flow_stddev":57898.8,"c_to_s_min":193,"c_to_s_avg":43665.2,"c_to_s_max":154982,"c_to_s_stddev":60881.0,"s_to_c_min":418,"s_to_c_avg":31535.3,"s_to_c_max":154701,"s_to_c_stddev":55088.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":137.4,"c_to_s_max":583,"c_to_s_stddev":157.9,"s_to_c_min":66,"s_to_c_avg":904.8,"s_to_c_max":1454,"s_to_c_stddev":625.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00767{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1472393122365661,"flow_src_last_pkt_time":1472393123408152,"flow_dst_last_pkt_time":1472393123665163,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":383,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":743,"flow_dst_tot_l4_payload_len":3732,"midstream":0,"thread_ts_usec":1472393124229315,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00922{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":22,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124218612,"flow_dst_last_pkt_time":1472393124229315,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":20642,"midstream":0,"thread_ts_usec":1472393124229315,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","packets-captured":60,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":26519,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":19,"global_ts_usec":1472393124229315} diff --git a/test/results/fastcgi.pcap.out b/test/results/fastcgi.pcap.out index 74391cef0..99f16e053 100644 --- a/test/results/fastcgi.pcap.out +++ b/test/results/fastcgi.pcap.out @@ -5,7 +5,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1280403893598699,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1280403893598868,"pkt":"AAvNgo+GABzEfBq8CABFAAA8AABAAEAGJqkKAAALCgAACSMolW5v2bTavtEyUKASFqBTYwAAAgQFtAQCCAoN02\/TIuta2wEDAwc="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1280403893598925,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1280403893598925,"pkt":"ABzEfBq8AAvNgo+GCABFAAA0aJVAAEAGvhsKAAAJCgAAC5VuIyi+0TJQb9m024AQAFyYcwAAAQEICiLrWtsN02\/T"} 00855{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403893599034,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1071,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1280403893599034,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403895619664,"flow_dst_last_pkt_time":1280403895619673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":14480,"midstream":0,"thread_ts_usec":1280403895619673,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":35383084.0,"flow_max":1128216795,"flow_stddev":196279328.0,"c_to_s_min":12,"c_to_s_avg":70639856.0,"c_to_s_max":1128216795,"c_to_s_stddev":273065632.0,"s_to_c_min":12,"s_to_c_avg":126310.9,"s_to_c_max":2019881,"s_to_c_stddev":488917.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":134.9,"c_to_s_max":1121,"c_to_s_stddev":254.6,"s_to_c_min":66,"s_to_c_avg":971.5,"s_to_c_max":1514,"s_to_c_stddev":700.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403895619664,"flow_dst_last_pkt_time":1280403895619673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":14480,"midstream":0,"thread_ts_usec":1280403895619673,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":130385.1,"flow_max":2020143,"flow_stddev":496240.3,"c_to_s_min":12,"c_to_s_avg":134731.0,"c_to_s_max":2020143,"c_to_s_stddev":503897.6,"s_to_c_min":12,"s_to_c_avg":126310.9,"s_to_c_max":2019881,"s_to_c_stddev":488917.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":134.9,"c_to_s_max":1121,"c_to_s_stddev":254.6,"s_to_c_min":66,"s_to_c_avg":971.5,"s_to_c_max":1514,"s_to_c_stddev":700.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00904{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":102,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":54,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403897015424,"flow_dst_last_pkt_time":1280403897015595,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":64400,"midstream":0,"thread_ts_usec":1280403897015595,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":102,"source":"fastcgi.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":102,"total-skipped-flows":0,"total-l4-payload-len":65495,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1280403897015595} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121539/121539 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 478 chars -~~ json string max len.......: 1362 chars -~~ json string avg len.......: 884 chars +~~ json string max len.......: 1346 chars +~~ json string avg len.......: 877 chars diff --git a/test/results/firefox.pcap.out b/test/results/firefox.pcap.out index ef4147917..c3c29bfa2 100644 --- a/test/results/firefox.pcap.out +++ b/test/results/firefox.pcap.out @@ -8,7 +8,7 @@ 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927997782476,"flow_dst_last_pkt_time":1620927997814169,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620927997814169,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998782772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927998782772,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998782772,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927998782772,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Esl\/AbveSGQcAAAAALAC\/\/\/OTgAAAgQFtAEDAwUBAQgKNAyYZQAAAAAEAgAA"} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":33,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927998776498,"flow_dst_last_pkt_time":1620927998804931,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1348,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620927998804931,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":95229656.0,"flow_max":3045276399,"flow_stddev":529844032.0,"c_to_s_min":3,"c_to_s_avg":217592752.0,"c_to_s_max":3045276399,"c_to_s_stddev":784258368.0,"s_to_c_min":26,"s_to_c_avg":58364.7,"s_to_c_max":575380,"s_to_c_stddev":140698.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.1,"c_to_s_max":583,"c_to_s_stddev":174.0,"s_to_c_min":66,"s_to_c_avg":938.2,"s_to_c_max":1506,"s_to_c_stddev":652.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01328{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":33,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927998776498,"flow_dst_last_pkt_time":1620927998804931,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1348,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620927998804931,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":66861.1,"flow_max":576607,"flow_stddev":148076.5,"c_to_s_min":3,"c_to_s_avg":78625.5,"c_to_s_max":576607,"c_to_s_stddev":156965.6,"s_to_c_min":26,"s_to_c_avg":58364.7,"s_to_c_max":575380,"s_to_c_stddev":140698.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.1,"c_to_s_max":583,"c_to_s_stddev":174.0,"s_to_c_min":66,"s_to_c_avg":938.2,"s_to_c_max":1506,"s_to_c_stddev":652.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927998806443,"flow_dst_last_pkt_time":1620927998806443,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927998806443,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1620927998806443,"flow_dst_last_pkt_time":1620927998806443,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927998806443,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmEAbtCftk8AAAAALAC\/\/\/03wAAAgQFtAEDAwUBAQgKNAyYeQAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998817178,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927998817178,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yX\/JSxfE3khkHaAS\/oi4VgAAAgQFrAQCCAo8IAs5NAyYZQEDAwc="} @@ -27,7 +27,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":86,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1620927999112216,"flow_dst_last_pkt_time":1620927999112216,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927999112216,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmRAbvLRPiuAAAAALAC\/\/9LkAAAAgQFtAEDAwUBAQgKNAyZgwAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999109976,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999138093,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yY9yeaT2oLD166AS\/ogrVAAAAgQFrAQCCAo8IAx5NAyZgQEDAwc="} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999111334,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999138095,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZBJLtVRAr1wcaAS\/ohHrwAAAgQFrAQCCAo8IAx6NAyZggEDAwc="} -01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999138109,"flow_dst_last_pkt_time":1620927999138090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1491,"flow_dst_tot_l4_payload_len":17379,"midstream":0,"thread_ts_usec":1620927999138109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":26960.5,"flow_max":231008,"flow_stddev":56482.6,"c_to_s_min":199,"c_to_s_avg":39032.2,"c_to_s_max":203508,"c_to_s_stddev":61142.1,"s_to_c_min":9,"s_to_c_avg":18700.9,"s_to_c_max":231008,"s_to_c_stddev":51452.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":181.6,"c_to_s_max":746,"c_to_s_stddev":208.1,"s_to_c_min":66,"s_to_c_avg":981.1,"s_to_c_max":1506,"s_to_c_stddev":649.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999138109,"flow_dst_last_pkt_time":1620927999138090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1491,"flow_dst_tot_l4_payload_len":17379,"midstream":0,"thread_ts_usec":1620927999138109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":22924.4,"flow_max":231008,"flow_stddev":52648.8,"c_to_s_min":199,"c_to_s_avg":29611.4,"c_to_s_max":203508,"c_to_s_stddev":53815.7,"s_to_c_min":9,"s_to_c_avg":18700.9,"s_to_c_max":231008,"s_to_c_stddev":51452.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":181.6,"c_to_s_max":746,"c_to_s_stddev":208.1,"s_to_c_min":66,"s_to_c_avg":981.1,"s_to_c_max":1506,"s_to_c_stddev":649.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":118,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1620927999138163,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620927999138163,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmPAbugsPXrcnmk94AQECxIWgAAAQEICjQMmZw8IAx5"} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1620927999138166,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620927999138166,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmQAbsCvXBxSS7VUoAQECxktgAAAQEICjQMmZw8IAx6"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999112216,"flow_dst_last_pkt_time":1620927999140847,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999140847,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZFyBGfZy0T4r6AS\/og7hgAAAgQFrAQCCAo8IAx9NAyZgwEDAwc="} @@ -35,16 +35,16 @@ 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999141444,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999141444,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999143664,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999143664,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":126,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999148674,"flow_dst_last_pkt_time":1620927999140847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999148674,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":22585.9,"flow_max":221390,"flow_stddev":49851.5,"c_to_s_min":236,"c_to_s_avg":25849.5,"c_to_s_max":195798,"c_to_s_stddev":48490.8,"s_to_c_min":19,"s_to_c_avg":20047.6,"s_to_c_max":221390,"s_to_c_stddev":50739.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":173.8,"c_to_s_max":746,"c_to_s_stddev":203.2,"s_to_c_min":66,"s_to_c_avg":972.2,"s_to_c_max":1506,"s_to_c_stddev":662.9}}} +01197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":23282.8,"flow_max":221390,"flow_stddev":50495.5,"c_to_s_min":236,"c_to_s_avg":27762.2,"c_to_s_max":195798,"c_to_s_stddev":49809.8,"s_to_c_min":19,"s_to_c_avg":20047.6,"s_to_c_max":221390,"s_to_c_stddev":50739.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":173.8,"c_to_s_max":746,"c_to_s_stddev":203.2,"s_to_c_min":66,"s_to_c_avg":972.2,"s_to_c_max":1506,"s_to_c_stddev":662.9}}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999141444,"flow_dst_last_pkt_time":1620927999169718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999169718,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999143664,"flow_dst_last_pkt_time":1620927999170826,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999170826,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999148674,"flow_dst_last_pkt_time":1620927999179715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999179715,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":13428.3,"flow_max":199327,"flow_stddev":34872.9,"c_to_s_min":63,"c_to_s_avg":20964.8,"c_to_s_max":199327,"c_to_s_stddev":48554.8,"s_to_c_min":2,"s_to_c_avg":6778.4,"s_to_c_max":29597,"s_to_c_stddev":10706.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":142.1,"c_to_s_max":746,"c_to_s_stddev":186.0,"s_to_c_min":66,"s_to_c_avg":1031.4,"s_to_c_max":1506,"s_to_c_stddev":647.5}}} +01188{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":7431.5,"flow_max":29597,"flow_stddev":10227.7,"c_to_s_min":63,"c_to_s_avg":8224.6,"c_to_s_max":28362,"c_to_s_stddev":9554.4,"s_to_c_min":2,"s_to_c_avg":6778.4,"s_to_c_max":29597,"s_to_c_stddev":10706.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":142.1,"c_to_s_max":746,"c_to_s_stddev":186.0,"s_to_c_min":66,"s_to_c_avg":1031.4,"s_to_c_max":1506,"s_to_c_stddev":647.5}}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":14540.0,"flow_max":197969,"flow_stddev":35140.4,"c_to_s_min":80,"c_to_s_avg":22110.4,"c_to_s_max":197969,"c_to_s_stddev":48101.7,"s_to_c_min":26,"s_to_c_avg":7860.2,"s_to_c_max":45603,"s_to_c_stddev":13699.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":142.1,"c_to_s_max":746,"c_to_s_stddev":186.0,"s_to_c_min":66,"s_to_c_avg":989.8,"s_to_c_max":1506,"s_to_c_stddev":638.3}}} +01190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":8622.9,"flow_max":45603,"flow_stddev":12422.0,"c_to_s_min":80,"c_to_s_avg":9549.1,"c_to_s_max":28187,"c_to_s_stddev":10594.2,"s_to_c_min":26,"s_to_c_avg":7860.2,"s_to_c_max":45603,"s_to_c_stddev":13699.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":142.1,"c_to_s_max":746,"c_to_s_stddev":186.0,"s_to_c_min":66,"s_to_c_avg":989.8,"s_to_c_max":1506,"s_to_c_stddev":638.3}}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01192{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":15796.6,"flow_max":200209,"flow_stddev":35658.1,"c_to_s_min":2,"c_to_s_avg":23518.0,"c_to_s_max":200209,"c_to_s_stddev":48735.2,"s_to_c_min":17,"s_to_c_avg":8983.6,"s_to_c_max":37388,"s_to_c_stddev":14096.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":167.4,"c_to_s_max":746,"c_to_s_stddev":199.2,"s_to_c_min":66,"s_to_c_avg":882.3,"s_to_c_max":1506,"s_to_c_stddev":669.2}}} +01189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":9847.8,"flow_max":37388,"flow_stddev":13420.2,"c_to_s_min":2,"c_to_s_avg":10897.2,"c_to_s_max":36112,"c_to_s_stddev":12470.4,"s_to_c_min":17,"s_to_c_avg":8983.6,"s_to_c_max":37388,"s_to_c_stddev":14096.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":167.4,"c_to_s_max":746,"c_to_s_stddev":199.2,"s_to_c_min":66,"s_to_c_avg":882.3,"s_to_c_max":1506,"s_to_c_stddev":669.2}}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":436,"flow_dst_packets_processed":629,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927999853445,"flow_dst_last_pkt_time":1620927999852827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":4766,"flow_dst_tot_l4_payload_len":886436,"midstream":0,"thread_ts_usec":1620927999948696,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":408,"flow_dst_packets_processed":623,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999948696,"flow_dst_last_pkt_time":1620927999948604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3687,"flow_dst_tot_l4_payload_len":865816,"midstream":0,"thread_ts_usec":1620927999948696,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -66,5 +66,5 @@ ~~ total allocations/frees...: 126990/126990 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 478 chars -~~ json string max len.......: 1354 chars -~~ json string avg len.......: 915 chars +~~ json string max len.......: 1333 chars +~~ json string avg len.......: 904 chars diff --git a/test/results/fix.pcap.out b/test/results/fix.pcap.out index 60341913c..9a961ec50 100644 --- a/test/results/fix.pcap.out +++ b/test/results/fix.pcap.out @@ -29,7 +29,7 @@ 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"fix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1493755109654913,"flow_dst_last_pkt_time":1493755109655079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755109655079,"pkt":"ACJNe\/gxTHK5MeMlCABFAAA07JVAAEAGb0LAqAAUCBEWH7taD6B8NqfnDJ+ZSYAQhgAbHwAAAQEICho\/VIrKvigo"} 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"fix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1493755109654913,"flow_dst_last_pkt_time":1493755109655263,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":152,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":118,"thread_ts_usec":1493755109655263,"pkt":"ACJNe\/gxTHK5MeMlCABFAACK7JZAAEAGbuvAqAAUCBEWH7taD6B8NqfnDJ+ZSYAYhgDh+QAAAQEICho\/VIrKvigoOD1GSVhDT01QATk9NzEBeJwNx7ENgDAMBED9QER+x684kdwisQEtDR0N+xdw3WXtx9miEbPMQugqQ48\/iuGQlxuHyXzjXMrlCdLrvt4HtKKED90WDdY="} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1493755109941137,"flow_dst_last_pkt_time":1493755109440588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1493755109941137,"pkt":"THK5MeMlACJNe\/gxCABFAABLyzQAADIGwMPQ9WsDwKgAFA+gshDsZRDXr0wvBlAYWgiDjAAAOD1PATk9MDAyNAEzNT1HAQCIAAAAWQxAldWZn+Q2dgAAAAE="} -01322{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755110311293,"flow_dst_last_pkt_time":1493755110311459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":86,"midstream":1,"thread_ts_usec":1493755110311459,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":170,"flow_avg":64270.3,"flow_max":314954,"flow_stddev":67204.8,"c_to_s_min":3585,"c_to_s_avg":65397.9,"c_to_s_max":314891,"c_to_s_stddev":66211.6,"s_to_c_min":170,"s_to_c_avg":63142.7,"s_to_c_max":314954,"s_to_c_stddev":68164.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":149.1,"c_to_s_max":511,"c_to_s_stddev":106.8,"s_to_c_min":60,"s_to_c_avg":65.0,"s_to_c_max":140,"s_to_c_stddev":19.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01322{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755110311293,"flow_dst_last_pkt_time":1493755110311459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":86,"midstream":1,"thread_ts_usec":1493755110311459,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":170,"flow_avg":65174.2,"flow_max":314954,"flow_stddev":68088.5,"c_to_s_min":3585,"c_to_s_avg":67341.1,"c_to_s_max":314891,"c_to_s_stddev":67939.9,"s_to_c_min":170,"s_to_c_avg":63142.7,"s_to_c_max":314954,"s_to_c_stddev":68164.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":149.1,"c_to_s_max":511,"c_to_s_stddev":106.8,"s_to_c_min":60,"s_to_c_avg":65.0,"s_to_c_max":140,"s_to_c_stddev":19.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110320014,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":77,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":77,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110320014,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38652,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00613{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":131,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":131,"pkt_l4_len":97,"thread_ts_usec":1493755110320014,"pkt":"THK5MeMlACJNe\/gxCABFAAB1U\/wAADIGN9LQ9WsDwKgAFA+glvwzTd9PWnk+l1AYb96N\/wAAOD1PATk9MDA2NgEzNT1HAQHYAAAABVkI5OEMFeFiPZCEMAATlYJyAAAABFkI5OEMFVZHfdCEMAATwIJ3AAAABlkI5OEIW+2APQJxEAQ="} 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110320014,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":77,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":77,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110320014,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38652,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} @@ -38,14 +38,14 @@ 00846{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":88,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755110328857,"flow_dst_last_pkt_time":1493755110328857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110328857,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1493755110328857,"flow_dst_last_pkt_time":1493755110328967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755110328967,"pkt":"ACJNe\/gxTHK5MeMlCABFAAA0b9ZAAEAG7AHAqAAUCBEWH5\/WD6D+vKsbjSdUdYAQ\/\/\/knQAAAQEICtZGrHjKvirJ"} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110362185,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1493755110362185,"pkt":"ACJNe\/gxTHK5MeMlCABFAAAouAtAAEAGhg\/AqAAU0PVrA5b8D6BaeT6XM03fnFAQ\/GxkGwAAAAAAAAAA"} -01313{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":114,"source":"fix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109264927,"flow_src_last_pkt_time":1493755110667807,"flow_dst_last_pkt_time":1493755110668000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":553,"flow_dst_tot_l4_payload_len":87,"midstream":1,"thread_ts_usec":1493755110668000,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":88366.3,"flow_max":300186,"flow_stddev":83675.8,"c_to_s_min":29,"c_to_s_avg":89040.6,"c_to_s_max":300170,"c_to_s_stddev":83415.2,"s_to_c_min":25,"s_to_c_avg":87692.1,"s_to_c_max":300186,"s_to_c_stddev":83930.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":100.6,"c_to_s_max":135,"c_to_s_stddev":15.8,"s_to_c_min":66,"s_to_c_avg":71.4,"s_to_c_max":153,"s_to_c_stddev":21.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01313{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":114,"source":"fix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109264927,"flow_src_last_pkt_time":1493755110667807,"flow_dst_last_pkt_time":1493755110668000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":553,"flow_dst_tot_l4_payload_len":87,"midstream":1,"thread_ts_usec":1493755110668000,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":90514.6,"flow_max":300186,"flow_stddev":84141.6,"c_to_s_min":29,"c_to_s_avg":93525.3,"c_to_s_max":300170,"c_to_s_stddev":84262.5,"s_to_c_min":25,"s_to_c_avg":87692.1,"s_to_c_max":300186,"s_to_c_stddev":83930.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":100.6,"c_to_s_max":135,"c_to_s_stddev":15.8,"s_to_c_min":66,"s_to_c_avg":71.4,"s_to_c_max":153,"s_to_c_stddev":21.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1493755111422176,"flow_dst_last_pkt_time":1493755110328967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1493755111422176,"pkt":"THK5MeMlACJNe\/gxCABFAABwiaEAAPUGXPoIERYfwKgAFA+gn9aNJ1R1\/ryrG4AY\/\/+zfAAAAQEICsq+Lw\/WRqx4OD1PATk9MDA0OQEzNT1HAQFQAAAADVkI5OEMFgYg3VCIUAATiYF3AAAADFkI5OEMB9wg3RAAEAATiYAA"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755111956116,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755111956116,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38646,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1493755111956116,"pkt":"THK5MeMlACJNe\/gxCABFAABP7\/wAADIGm\/fQ9WsDwKgAFA+glvYLJrChYuT9OVAYYmg1SgAAOD1GSVguNC4xATk9MDAwMTQBMzU9MQExMTI9ZmFybQExMD0yMTcB"} 00850{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755111956116,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755111956116,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38646,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956292,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1493755111956292,"pkt":"ACJNe\/gxTHK5MeMlCABFAAAoPOZAAEAGATXAqAAU0PVrA5b2D6Bi5P05CyawyFAQ\/Gz0DgAAAAAAAAAA"} 00630{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":157,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956474,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1493755111956474,"pkt":"ACJNe\/gxTHK5MeMlCABFAAB9POdAAEAGAN\/AqAAU0PVrA5b2D6Bi5P05CyawyFAY\/GyQmgAAOD1GSVhDT01QATk9NzABeJwFwTEKgEAMBEDyII\/dJIu5g7SCP7C1sbPx\/4Uz1cd5jRy02UDKQg2LbFAVafJ2cIfgG+dSraCR3s\/9vUY05fYD3SIN0A=="} -01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"fix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109242949,"flow_src_last_pkt_time":1493755111999185,"flow_dst_last_pkt_time":1493755111999341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":1313,"flow_dst_tot_l4_payload_len":85,"midstream":1,"thread_ts_usec":1493755111999341,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":43594,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":129497256.0,"flow_max":4138399541,"flow_stddev":720020096.0,"c_to_s_min":30,"c_to_s_avg":258822240.0,"c_to_s_max":4138399541,"c_to_s_stddev":1001702528.0,"s_to_c_min":24,"s_to_c_avg":172274.5,"s_to_c_max":291268,"s_to_c_stddev":116955.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":148.1,"c_to_s_max":254,"c_to_s_stddev":45.1,"s_to_c_min":66,"s_to_c_avg":71.3,"s_to_c_max":151,"s_to_c_stddev":20.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"fix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109242949,"flow_src_last_pkt_time":1493755111999185,"flow_dst_last_pkt_time":1493755111999341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":1313,"flow_dst_tot_l4_payload_len":85,"midstream":1,"thread_ts_usec":1493755111999341,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":43594,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":177826.7,"flow_max":291268,"flow_stddev":112931.7,"c_to_s_min":30,"c_to_s_avg":183749.1,"c_to_s_max":251471,"c_to_s_stddev":108161.5,"s_to_c_min":24,"s_to_c_avg":172274.5,"s_to_c_max":291268,"s_to_c_stddev":116955.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":148.1,"c_to_s_max":254,"c_to_s_stddev":45.1,"s_to_c_min":66,"s_to_c_avg":71.3,"s_to_c_max":151,"s_to_c_stddev":20.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755113353296,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755113353296,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":39094,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1493755113353296,"pkt":"THK5MeMlACJNe\/gxCABFAABP8tQAADIGmR\/Q9WsDwKgAFA+gmLZKUJEYQJIHD1AYWpQ0OgAAOD1GSVguNC4xATk9MDAwMTQBMzU9MQExMTI9ZmFybQExMD0yMTcB"} 00851{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755113353296,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755113353296,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":39094,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} @@ -63,8 +63,8 @@ 00848{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":419,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755117668152,"flow_src_last_pkt_time":1493755117668152,"flow_dst_last_pkt_time":1493755117668152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755117668152,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40928,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00647{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":420,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1493755117668152,"flow_dst_last_pkt_time":1493755117668466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":152,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":118,"thread_ts_usec":1493755117668466,"pkt":"ACJNe\/gxTHK5MeMlCABFAACK1yxAAEAGhFXAqAAUCBEWH5\/gD6Bu8UTiG402I4AY\/+CkEwAAAQEICnIP3\/PKvkd1OD1GSVhDT01QATk9NzEBeJwFwbENgDAMBEB5IKJ\/Ow5OpG+R2ICWho6G\/QvuSsd5td5oU0BPixQsusCsLEuXgzsSvnGurBXDSNdzf68R4gj7Ad5tDd0="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":425,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1493755117687593,"flow_dst_last_pkt_time":1493755117668466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755117687593,"pkt":"THK5MeMlACJNe\/gxCABFAAA09L8AAPUG8hcIERYfwKgAFA+gn+AbjTYjbvFFOIAQ\/\/9+KwAAAQEICsq+R4lyD9\/z"} -01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":554,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755120254899,"flow_dst_last_pkt_time":1493755120295550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":498,"flow_dst_tot_l4_payload_len":173,"midstream":1,"thread_ts_usec":1493755120295550,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":168,"flow_avg":681514.8,"flow_max":5507323,"flow_stddev":1264489.4,"c_to_s_min":45693,"c_to_s_avg":684584.0,"c_to_s_max":5507291,"c_to_s_stddev":1262576.8,"s_to_c_min":168,"s_to_c_avg":678445.6,"s_to_c_max":5507323,"s_to_c_stddev":1266391.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":85.1,"c_to_s_max":93,"c_to_s_stddev":11.8,"s_to_c_min":60,"s_to_c_avg":70.1,"s_to_c_max":141,"s_to_c_stddev":26.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} -01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1180,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755130974521,"flow_dst_last_pkt_time":1493755130974683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":651,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755130974683,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":110,"flow_avg":1300745.0,"flow_max":4175061,"flow_stddev":1128111.8,"c_to_s_min":22417,"c_to_s_avg":1311126.0,"c_to_s_max":4175061,"c_to_s_stddev":1113431.4,"s_to_c_min":110,"s_to_c_avg":1290364.1,"s_to_c_max":4175010,"s_to_c_stddev":1142509.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":106.7,"c_to_s_max":147,"c_to_s_stddev":19.5,"s_to_c_min":66,"s_to_c_avg":76.6,"s_to_c_max":151,"s_to_c_stddev":28.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":554,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755120254899,"flow_dst_last_pkt_time":1493755120295550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":498,"flow_dst_tot_l4_payload_len":173,"midstream":1,"thread_ts_usec":1493755120295550,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":168,"flow_avg":699019.6,"flow_max":5507323,"flow_stddev":1280900.8,"c_to_s_min":45693,"c_to_s_avg":720965.2,"c_to_s_max":5507291,"c_to_s_stddev":1295837.9,"s_to_c_min":168,"s_to_c_avg":678445.6,"s_to_c_max":5507323,"s_to_c_stddev":1266391.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":85.1,"c_to_s_max":93,"c_to_s_stddev":11.8,"s_to_c_min":60,"s_to_c_avg":70.1,"s_to_c_max":141,"s_to_c_stddev":26.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1180,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755130974521,"flow_dst_last_pkt_time":1493755130974683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":651,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755130974683,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":110,"flow_avg":1331983.5,"flow_max":4175061,"flow_stddev":1132458.4,"c_to_s_min":22417,"c_to_s_avg":1376377.6,"c_to_s_max":4175061,"c_to_s_stddev":1119934.8,"s_to_c_min":110,"s_to_c_avg":1290364.1,"s_to_c_max":4175010,"s_to_c_stddev":1142509.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":106.7,"c_to_s_max":147,"c_to_s_stddev":19.5,"s_to_c_min":66,"s_to_c_avg":76.6,"s_to_c_max":151,"s_to_c_stddev":28.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":228,"flow_dst_packets_processed":228,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755132102784,"flow_dst_last_pkt_time":1493755132102954,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":14021,"flow_dst_tot_l4_payload_len":258,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00896{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":35,"flow_dst_packets_processed":35,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755131869860,"flow_dst_last_pkt_time":1493755131870022,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":1132,"flow_dst_tot_l4_payload_len":260,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00892{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":18,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755132019095,"flow_dst_last_pkt_time":1493755132019254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} @@ -91,5 +91,5 @@ ~~ total allocations/frees...: 122817/122817 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1347 chars -~~ json string avg len.......: 909 chars +~~ json string max len.......: 1340 chars +~~ json string avg len.......: 906 chars diff --git a/test/results/fix2.pcap.out b/test/results/fix2.pcap.out index 4a657c466..533c08f39 100644 --- a/test/results/fix2.pcap.out +++ b/test/results/fix2.pcap.out @@ -10,8 +10,8 @@ 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1614758889589020,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614758889589588,"pkt":"WgXZu6TVApXG95WRCABFAAAweT8AAIAGrLMKZgAJCmUAAgQAiJMt1EWWLdRCK3ASgAF\/OwAAAgQFtAMDAQA="} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1614758889589590,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1614758889589590,"pkt":"5kBKB+riApXG95NLCABFAAAoeUAAAIAGAAAKZQACCmYACYiTBAAt1EIrLdRFl1AQgAEU8AAAAAAAAAAA"} 00844{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889589592,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":85,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614758889589592,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} -01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":56,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889589960,"flow_dst_last_pkt_time":1614758889589962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":669,"flow_dst_tot_l4_payload_len":911,"midstream":0,"thread_ts_usec":1614758889589962,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":48714520.0,"flow_max":1510147950,"flow_stddev":266820016.0,"c_to_s_min":2,"c_to_s_avg":107867784.0,"c_to_s_max":1510147950,"c_to_s_stddev":388922528.0,"s_to_c_min":2,"s_to_c_avg":64.7,"s_to_c_max":641,"s_to_c_stddev":152.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":104.9,"c_to_s_max":160,"c_to_s_stddev":45.0,"s_to_c_min":60,"s_to_c_avg":107.8,"s_to_c_max":174,"s_to_c_stddev":47.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} -01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889590049,"flow_dst_last_pkt_time":1614758889590048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":801,"midstream":0,"thread_ts_usec":1614758889590049,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":50338340.0,"flow_max":1510148108,"flow_stddev":271079872.0,"c_to_s_min":2,"c_to_s_avg":107867792.0,"c_to_s_max":1510148108,"c_to_s_stddev":388922592.0,"s_to_c_min":1,"s_to_c_avg":64.2,"s_to_c_max":568,"s_to_c_stddev":135.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":111.1,"c_to_s_max":160,"c_to_s_stddev":44.4,"s_to_c_min":60,"s_to_c_avg":102.1,"s_to_c_max":174,"s_to_c_stddev":46.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01288{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":56,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889589960,"flow_dst_last_pkt_time":1614758889589962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":669,"flow_dst_tot_l4_payload_len":911,"midstream":0,"thread_ts_usec":1614758889589962,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":73.3,"flow_max":652,"flow_stddev":161.3,"c_to_s_min":2,"c_to_s_avg":84.5,"c_to_s_max":652,"c_to_s_stddev":172.0,"s_to_c_min":2,"s_to_c_avg":64.7,"s_to_c_max":641,"s_to_c_stddev":152.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":104.9,"c_to_s_max":160,"c_to_s_stddev":45.0,"s_to_c_min":60,"s_to_c_avg":107.8,"s_to_c_max":174,"s_to_c_stddev":47.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01288{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889590049,"flow_dst_last_pkt_time":1614758889590048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":801,"midstream":0,"thread_ts_usec":1614758889590049,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":70.9,"flow_max":570,"flow_stddev":141.3,"c_to_s_min":2,"c_to_s_avg":79.2,"c_to_s_max":570,"c_to_s_stddev":147.5,"s_to_c_min":1,"s_to_c_avg":64.2,"s_to_c_max":568,"s_to_c_stddev":135.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":111.1,"c_to_s_max":160,"c_to_s_stddev":44.4,"s_to_c_min":60,"s_to_c_avg":102.1,"s_to_c_max":174,"s_to_c_stddev":46.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00899{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":683,"flow_dst_packets_processed":1304,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889595345,"flow_dst_last_pkt_time":1614758889595344,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":13395,"flow_dst_tot_l4_payload_len":26148,"midstream":0,"thread_ts_usec":1614758889595345,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00898{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":411,"flow_dst_packets_processed":648,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889595307,"flow_dst_last_pkt_time":1614758889595305,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":10864,"flow_dst_tot_l4_payload_len":17549,"midstream":0,"thread_ts_usec":1614758889595345,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","packets-captured":3049,"packets-processed":3046,"total-skipped-flows":0,"total-l4-payload-len":67956,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1614758889595345} @@ -28,5 +28,5 @@ ~~ total allocations/frees...: 124492/124492 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1332 chars -~~ json string avg len.......: 895 chars +~~ json string max len.......: 1293 chars +~~ json string avg len.......: 876 chars diff --git a/test/results/forticlient.pcap.out b/test/results/forticlient.pcap.out index 7ff751f34..7de985e8e 100644 --- a/test/results/forticlient.pcap.out +++ b/test/results/forticlient.pcap.out @@ -35,7 +35,7 @@ 01349{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209262263,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1621067209264717,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01409{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":105,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209346748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1621067209346748,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01675{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209348677,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":2421,"midstream":0,"thread_ts_usec":1621067209348677,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}}} -01616{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":131,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067210297694,"flow_dst_last_pkt_time":1621067210301240,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1845,"flow_dst_tot_l4_payload_len":4568,"midstream":0,"thread_ts_usec":1621067210301240,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":39,"flow_avg":116223.7,"flow_max":1519645,"flow_stddev":274954.6,"c_to_s_min":39,"c_to_s_avg":137770.0,"c_to_s_max":1519645,"c_to_s_stddev":338711.1,"s_to_c_min":89,"s_to_c_avg":84733.1,"s_to_c_max":495036,"s_to_c_stddev":129409.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.7,"c_to_s_max":596,"c_to_s_stddev":146.6,"s_to_c_min":66,"s_to_c_avg":418.0,"s_to_c_max":1506,"s_to_c_stddev":468.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01611{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":131,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067210297694,"flow_dst_last_pkt_time":1621067210301240,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1845,"flow_dst_tot_l4_payload_len":4568,"midstream":0,"thread_ts_usec":1621067210301240,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":39,"flow_avg":70952.1,"flow_max":495036,"flow_stddev":111597.5,"c_to_s_min":39,"c_to_s_avg":60999.1,"c_to_s_max":429584,"c_to_s_stddev":95484.8,"s_to_c_min":89,"s_to_c_avg":84733.1,"s_to_c_max":495036,"s_to_c_stddev":129409.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":163.7,"c_to_s_max":596,"c_to_s_stddev":146.6,"s_to_c_min":66,"s_to_c_avg":418.0,"s_to_c_max":1506,"s_to_c_stddev":468.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00771{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":9,"flow_first_seen":1621067203571879,"flow_src_last_pkt_time":1621067204621391,"flow_dst_last_pkt_time":1621067204682403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":493,"flow_dst_tot_l4_payload_len":2929,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00772{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1621067204622472,"flow_src_last_pkt_time":1621067205650296,"flow_dst_last_pkt_time":1621067205708789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":6225,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00772{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":11,"flow_first_seen":1621067205651500,"flow_src_last_pkt_time":1621067206681899,"flow_dst_last_pkt_time":1621067206738955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/ftp-start-tls.pcap.out b/test/results/ftp-start-tls.pcap.out index e8051162f..34014261c 100644 --- a/test/results/ftp-start-tls.pcap.out +++ b/test/results/ftp-start-tls.pcap.out @@ -8,7 +8,7 @@ 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":8,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629098899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":73,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1383123629101855,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01332{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":11,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103318,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1383123629103318,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01437{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":13,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":1447,"midstream":0,"thread_ts_usec":1383123629103328,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} -01214{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":75812328.0,"flow_max":2425845408,"flow_stddev":422078400.0,"c_to_s_min":1253,"c_to_s_avg":269546624.0,"c_to_s_max":2425845408,"c_to_s_stddev":762366784.0,"s_to_c_min":2,"s_to_c_avg":3258.0,"s_to_c_max":40376,"s_to_c_stddev":8517.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":123.7,"c_to_s_max":384,"c_to_s_stddev":101.5,"s_to_c_min":60,"s_to_c_avg":195.0,"s_to_c_max":566,"s_to_c_stddev":179.0}}} +01186{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":4811.0,"flow_max":40376,"flow_stddev":9556.7,"c_to_s_min":1253,"c_to_s_avg":9275.8,"c_to_s_max":34737,"c_to_s_stddev":10883.4,"s_to_c_min":2,"s_to_c_avg":3258.0,"s_to_c_max":40376,"s_to_c_stddev":8517.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":123.7,"c_to_s_max":384,"c_to_s_stddev":101.5,"s_to_c_min":60,"s_to_c_avg":195.0,"s_to_c_max":566,"s_to_c_stddev":179.0}}} 01437{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01469{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":51,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":35,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629412168,"flow_dst_last_pkt_time":1383123629233523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":856,"flow_dst_tot_l4_payload_len":3834,"midstream":0,"thread_ts_usec":1383123629412168,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":51,"source":"ftp-start-tls.pcap","alias":"nDPId-test","packets-captured":51,"packets-processed":51,"total-skipped-flows":0,"total-l4-payload-len":4690,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1383123629412168} diff --git a/test/results/ftp.pcap.out b/test/results/ftp.pcap.out index c49ebdbcb..eaabc31c1 100644 --- a/test/results/ftp.pcap.out +++ b/test/results/ftp.pcap.out @@ -5,7 +5,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1552590234892296,"flow_dst_last_pkt_time":1552590234919708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590234919708,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1AAVxgZYKsHSoyOX7qASqbA+KAAAAgQFrAQCCAoSZ\/tNO1eYmQEDAw4="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1552590234919816,"flow_dst_last_pkt_time":1552590234919708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1552590234919816,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYGABWjI5fuWCrB04AQECxjbgAAAQEICjtXmLQSZ\/tN"} 01043{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590234976972,"flow_dst_last_pkt_time":1552590235066945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":29,"flow_dst_tot_l4_payload_len":77,"midstream":0,"thread_ts_usec":1552590235066945,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download","ftp": {"user":"anonymous","password":"NcFTP@","auth_failed":0}}} -01463{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590235175924,"flow_dst_last_pkt_time":1552590235202548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":532,"midstream":0,"thread_ts_usec":1552590235202548,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":78364216.0,"flow_max":2507060984,"flow_stddev":436206816.0,"c_to_s_min":6,"c_to_s_avg":139296928.0,"c_to_s_max":2507060984,"c_to_s_stddev":574267136.0,"s_to_c_min":21,"s_to_c_avg":22160.9,"s_to_c_max":69061,"s_to_c_stddev":17666.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":71.4,"c_to_s_max":96,"c_to_s_stddev":8.0,"s_to_c_min":66,"s_to_c_avg":104.6,"s_to_c_max":307,"s_to_c_stddev":58.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}} +01438{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590235175924,"flow_dst_last_pkt_time":1552590235202548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":532,"midstream":0,"thread_ts_usec":1552590235202548,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":19157.4,"flow_max":90047,"flow_stddev":20644.4,"c_to_s_min":6,"c_to_s_avg":16684.0,"c_to_s_max":90047,"c_to_s_stddev":22507.5,"s_to_c_min":21,"s_to_c_avg":22160.9,"s_to_c_max":69061,"s_to_c_stddev":17666.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":71.4,"c_to_s_max":96,"c_to_s_stddev":8.0,"s_to_c_min":66,"s_to_c_avg":104.6,"s_to_c_max":307,"s_to_c_stddev":58.9}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1552590236580045,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236580045,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1552590236580045,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50695,"dst_port":25685,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236580045,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1552590236580045,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYHZFXuwKKMAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1efIQAAAAAEAgAA"} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236608252,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590236608252,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1GRVxgdmK2Nw7sCijaASqbDL3QAAAgQFrAQCCAoSZ\/zzO1efIQEDAw4="} @@ -15,7 +15,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1552590241545143,"flow_dst_last_pkt_time":1552590241545143,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1552590241545143,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYIX8sNBxpOAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1eyYgAAAAAEAgAA"} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1552590241545143,"flow_dst_last_pkt_time":1552590241573913,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590241573913,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1F\/LxggMTnkwDQcaT6ASqbBmYgAAAgQFrAQCCAoSaAHMO1eyYgEDAw4="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1552590241573957,"flow_dst_last_pkt_time":1552590241573913,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1552590241573957,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYIX8sNBxpPDE55MYAQECxjbgAAAQEICjtXsn0SaAHM"} -01178{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":6689.1,"flow_max":29579,"flow_stddev":11527.4,"c_to_s_min":43,"c_to_s_avg":9197.1,"c_to_s_max":29566,"c_to_s_stddev":12752.0,"s_to_c_min":2,"s_to_c_avg":4973.2,"s_to_c_max":29579,"s_to_c_stddev":10261.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":67.8,"c_to_s_max":78,"c_to_s_stddev":4.3,"s_to_c_min":66,"s_to_c_avg":1354.8,"s_to_c_max":1506,"s_to_c_stddev":440.7}}} +01178{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":6033.4,"flow_max":29579,"flow_stddev":11108.9,"c_to_s_min":43,"c_to_s_avg":7712.1,"c_to_s_max":29566,"c_to_s_stddev":12144.9,"s_to_c_min":2,"s_to_c_avg":4973.2,"s_to_c_max":29579,"s_to_c_stddev":10261.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":67.8,"c_to_s_max":78,"c_to_s_stddev":4.3,"s_to_c_min":66,"s_to_c_avg":1354.8,"s_to_c_max":1506,"s_to_c_stddev":440.7}}} 00806{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00845{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1192,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":380,"flow_dst_packets_processed":735,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241851108,"flow_dst_last_pkt_time":1552590241878454,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1048576,"midstream":0,"thread_ts_usec":1552590243371057,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1192,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":27,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590243340268,"flow_dst_last_pkt_time":1552590243371057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":889,"midstream":0,"thread_ts_usec":1552590243371057,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}} @@ -34,5 +34,5 @@ ~~ total allocations/frees...: 122650/122650 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1468 chars -~~ json string avg len.......: 970 chars +~~ json string max len.......: 1443 chars +~~ json string avg len.......: 957 chars diff --git a/test/results/fuzz-2006-06-26-2594.pcap.out b/test/results/fuzz-2006-06-26-2594.pcap.out index 6672c265a..72b26eabb 100644 --- a/test/results/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/fuzz-2006-06-26-2594.pcap.out @@ -487,7 +487,7 @@ 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":287,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470158623642,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158623642,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470158623642,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2757,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"1.v.0.127.in-addr.arpa","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":288,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_packet_id":2,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158625217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"thread_ts_usec":1120470158625217,"pkt":"AODtAW69ADBUADRWCABFAABbAABAAEARtz7AqAEBwKgBAgA1CsUARyeF3\/CAAAABAAEAAAAAAXMBMAElcwAyNwdpbi1hZGRyBGFycGEAAAwAAcAMAAwAAQAAJxAACwlsb2NhbGhvc3QA"} 01120{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":288,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1120470158623642,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158625217,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":63,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":63,"midstream":0,"thread_ts_usec":1120470158625217,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2757,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1120469540839312,"flow_src_last_pkt_time":1120470161396896,"flow_dst_last_pkt_time":1120469540839312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1592,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470161396896,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":741823,"flow_avg":105880736.0,"flow_max":2767625856,"flow_stddev":478582048.0,"c_to_s_min":741823,"c_to_s_avg":105880736.0,"c_to_s_max":2767625856,"c_to_s_stddev":478582048.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":92,"c_to_s_avg":92.0,"c_to_s_max":92,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1120469540839312,"flow_src_last_pkt_time":1120470161396896,"flow_dst_last_pkt_time":1120469540839312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1592,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470161396896,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":741823,"flow_avg":20017986.0,"flow_max":47494748,"flow_stddev":22627942.0,"c_to_s_min":741823,"c_to_s_avg":20017986.0,"c_to_s_max":47494748,"c_to_s_stddev":22627942.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":92,"c_to_s_avg":92.0,"c_to_s_max":92,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469973959320,"flow_src_last_pkt_time":1120469973959320,"flow_dst_last_pkt_time":1120469973959320,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":63,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.130.1","dst_ip":"192.168.1.2","src_port":53,"dst_port":2741,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00766{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":75,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469973957831,"flow_src_last_pkt_time":1120469973957831,"flow_dst_last_pkt_time":1120469973957831,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2741,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":112,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470170646619,"flow_src_last_pkt_time":1120470170646619,"flow_dst_last_pkt_time":1120470170646619,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470170646619,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2640,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -805,7 +805,7 @@ 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":428,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":165,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470473526171,"flow_src_last_pkt_time":1120470473526171,"flow_dst_last_pkt_time":1120470473526171,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470473526171,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2788,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"1.0.0.127.in-addr.arpa","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00732{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":429,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":166,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470473527682,"flow_src_last_pkt_time":1120470473527682,"flow_dst_last_pkt_time":1120470473527682,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":71,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":71,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":71,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470473527682,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.2","l4_proto":0,"flow_datalink":1,"flow_max_packets":3} 00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":166,"flow_packet_id":1,"flow_src_last_pkt_time":1120470473527682,"flow_dst_last_pkt_time":1120470473527682,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"thread_ts_usec":1120470473527682,"pkt":"AODtAW69ADBUADRWCABFAABbAABAJXMAtz7AqAEBwKgBAgA1CuQAR5xtaumAAAABAAEAAAAAATEBMAEwAzEyNwdpbi1hZGRyBGFycGEAAAwAAcAMAAwAAQAAJxAACwlsb2NhbGhvc3Qw"} -01387{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":430,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1120469572981006,"flow_src_last_pkt_time":1120470268128176,"flow_dst_last_pkt_time":1120470473529233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":306,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":593,"flow_dst_max_l4_payload_len":1076,"flow_src_tot_l4_payload_len":4595,"flow_dst_tot_l4_payload_len":6254,"midstream":0,"thread_ts_usec":1120470473529233,"l3_proto":"ip4","src_ip":"212.242.33.35","dst_ip":"192.168.1.2","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25935,"flow_avg":49869852.0,"flow_max":279041814,"flow_stddev":59132512.0,"c_to_s_min":25935,"c_to_s_avg":69528704.0,"c_to_s_max":279041814,"c_to_s_stddev":85489432.0,"s_to_c_min":227102,"s_to_c_avg":40934012.0,"s_to_c_max":167525220,"s_to_c_stddev":38839472.0},"pktlen": {"c_to_s_min":348,"c_to_s_avg":501.5,"c_to_s_max":635,"c_to_s_stddev":76.4,"s_to_c_min":47,"s_to_c_avg":326.3,"s_to_c_max":1118,"s_to_c_stddev":339.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01387{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":430,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1120469572981006,"flow_src_last_pkt_time":1120470268128176,"flow_dst_last_pkt_time":1120470473529233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":306,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":593,"flow_dst_max_l4_payload_len":1076,"flow_src_tot_l4_payload_len":4595,"flow_dst_tot_l4_payload_len":6254,"midstream":0,"thread_ts_usec":1120470473529233,"l3_proto":"ip4","src_ip":"212.242.33.35","dst_ip":"192.168.1.2","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25935,"flow_avg":51474044.0,"flow_max":279041814,"flow_stddev":59389388.0,"c_to_s_min":25935,"c_to_s_avg":77238576.0,"c_to_s_max":279041814,"c_to_s_stddev":86752928.0,"s_to_c_min":227102,"s_to_c_avg":40934012.0,"s_to_c_max":167525220,"s_to_c_stddev":38839472.0},"pktlen": {"c_to_s_min":348,"c_to_s_avg":501.5,"c_to_s_max":635,"c_to_s_stddev":76.4,"s_to_c_min":47,"s_to_c_avg":326.3,"s_to_c_max":1118,"s_to_c_stddev":339.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00201{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":431,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","layer_type":2157,"global_ts_usec":1120470473631455} 00403{"packet_event_id":1,"packet_event_name":"packet","packet_id":431,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":86,"pkt_type":2157,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":86,"pkt_l4_len":0,"thread_ts_usec":1120470473529233,"pkt":"ADBUADRWACVzVG69CG1FAABIa2IAAIARS+\/AqAECwKgBAQrlADUANLH1d+oBAAABAAAAAAAABF9zaXAEX3VkcANzaXAJY3liZXJjaXR5AmRrAAAhAAE="} 00220{"error_event_id":9,"error_event_name":"nDPI IPv4\/L4 payload detection failed","datalink":1,"packet_id":432,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","l4_data_len":498,"global_ts_usec":1120470473676412} diff --git a/test/results/fuzz-2020-02-16-11740.pcap.out b/test/results/fuzz-2020-02-16-11740.pcap.out index 93da2afca..ecf00100e 100644 --- a/test/results/fuzz-2020-02-16-11740.pcap.out +++ b/test/results/fuzz-2020-02-16-11740.pcap.out @@ -77,7 +77,7 @@ 00220{"error_event_id":9,"error_event_name":"nDPI IPv4\/L4 payload detection failed","datalink":1,"packet_id":58,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","l4_data_len":284,"global_ts_usec":1528997012338586} 00714{"packet_event_id":1,"packet_event_name":"packet","packet_id":58,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":318,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":318,"pkt_l4_len":0,"thread_ts_usec":1528997012137776,"pkt":"ABRP+4rqcNuYVcUnCABFAIEw++ZAAPwRV5TG4hk1CgxAHgcUchABHA0JAicBFBsdKAWbpXDSR2MuOEvDRI4aCwAAV8gbBVNQQxpuAAABNxA0owm4HCG6PU2XNAkv\/vzDOB0KCSSyhii6vunR59O76CIKGOYjAfl7PUhdXq\/+IyUA1AERNOgzhBq9cBFTORk8iq5zOGawlRK5SmrzC9CE14BmLSTx9+rzUr5gcK7nljeTYDH3Q7JtAU4wMzExNDgwMDczNjM4MDcyQHdsYW4ubW5jNCUALm12YzMxMS4zZ3BwbmV0d29yay5vcmcsIDViMjJhNDg0L2YwOjc5OjYwOmQxOjdkOjM3LzIxNVkMOTA4NDIxMzI5MhIJU3VjY2VzcxkFU1BDTwYDAgAEUBJln13lrCrLxGDT3fIxBMmg"} 00925{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1528996603395872,"flow_src_last_pkt_time":1528996832079336,"flow_dst_last_pkt_time":1528996609592806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":209,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":834,"flow_dst_max_l4_payload_len":105,"flow_src_tot_l4_payload_len":2009,"flow_dst_tot_l4_payload_len":105,"midstream":0,"thread_ts_usec":1528997012137776,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1813,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01397{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1528996068129675,"flow_src_last_pkt_time":1528997019398709,"flow_dst_last_pkt_time":1528997011828903,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":655,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":703,"flow_dst_max_l4_payload_len":276,"flow_src_tot_l4_payload_len":12258,"flow_dst_tot_l4_payload_len":2595,"midstream":0,"thread_ts_usec":1528997019398709,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1812,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":155168,"flow_avg":77831984.0,"flow_max":612411195,"flow_stddev":166938736.0,"c_to_s_min":187053,"c_to_s_avg":85940240.0,"c_to_s_max":612411195,"c_to_s_stddev":192144576.0,"s_to_c_min":155168,"s_to_c_avg":67407088.0,"s_to_c_max":452627740,"s_to_c_stddev":126642552.0},"pktlen": {"c_to_s_min":697,"c_to_s_avg":723.0,"c_to_s_max":745,"c_to_s_stddev":21.9,"s_to_c_min":179,"s_to_c_avg":227.4,"s_to_c_max":318,"s_to_c_stddev":45.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01397{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1528996068129675,"flow_src_last_pkt_time":1528997019398709,"flow_dst_last_pkt_time":1528997011828903,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":655,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":703,"flow_dst_max_l4_payload_len":276,"flow_src_tot_l4_payload_len":12258,"flow_dst_tot_l4_payload_len":2595,"midstream":0,"thread_ts_usec":1528997019398709,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1812,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":155168,"flow_avg":61128012.0,"flow_max":612411195,"flow_stddev":140850256.0,"c_to_s_min":187053,"c_to_s_avg":55957004.0,"c_to_s_max":612411195,"c_to_s_stddev":151358432.0,"s_to_c_min":155168,"s_to_c_avg":67407088.0,"s_to_c_max":452627740,"s_to_c_stddev":126642552.0},"pktlen": {"c_to_s_min":697,"c_to_s_avg":723.0,"c_to_s_max":745,"c_to_s_stddev":21.9,"s_to_c_min":179,"s_to_c_avg":227.4,"s_to_c_max":318,"s_to_c_stddev":45.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00199{"error_event_id":2,"error_event_name":"Unknown L3 protocol","datalink":1,"packet_id":63,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","protocol":2048,"global_ts_usec":1528997023243075} 01284{"packet_event_id":1,"packet_event_name":"packet","packet_id":63,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":745,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":745,"pkt_l4_len":0,"thread_ts_usec":1528997020091114,"pkt":"AAAMB6xAABRP+4rqCAAHAALbIOZAAP8RAAAKDEAexuIZNXIQBxQC1gAAASoCn1lLG5tNeGgoWBAiZw18BtkaCgAAV8gOBFVTGgwAAFfIDQZ3aWZpGg8AAFfICVZXSVNQUjEwGgkAADghDQMyNwZbIqSfATUwMzExNDgwMjgxNTAxNTg5QHdsYW4ubW5jNDgwLm1jYzMxMS4zZ3BwbmV0d29yay5vcmdZAxB+CDFjaXNjb4MGAAAAAR+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg=="} 00773{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":66,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1528997023501287,"flow_src_last_pkt_time":1528997023501287,"flow_dst_last_pkt_time":1528997023501287,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":164,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":164,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":164,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1528997023501287,"l3_proto":"ip4","src_ip":"198.162.25.53","dst_ip":"10.12.64.30","src_port":1810,"dst_port":29200,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/git.pcap.out b/test/results/git.pcap.out index caad05683..5f5749ae9 100644 --- a/test/results/git.pcap.out +++ b/test/results/git.pcap.out @@ -5,7 +5,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1460821630164056,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1460821630221958,"pkt":"PJcOZtCOnJcm0ghCCABFCAA8AABAAC8GnhAFmecVwKgATSTKu3dqwE5VfoYLRaASOJBfrwAAAgQFrAQCCAorjWmrAadIEgEDAwc="} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1460821630222020,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1460821630222020,"pkt":"nJcm0ghCPJcOZtCOCABFAAA0Q1dAAEAGScnAqABNBZnnFbt3JMp+hgtFasBOVoAQAB3G2AAAAQEICgGnSCArjWmr"} 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630222080,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":69,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1460821630222080,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630544728,"flow_dst_last_pkt_time":1460821630545903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":19825,"midstream":0,"thread_ts_usec":1460821630545903,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":29,"flow_avg":5448175.0,"flow_max":173579080,"flow_stddev":30197216.0,"c_to_s_min":60,"c_to_s_avg":13381519.0,"c_to_s_max":173579080,"c_to_s_stddev":46245064.0,"s_to_c_min":29,"s_to_c_avg":20097.2,"s_to_c_max":57902,"s_to_c_stddev":24214.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":113.2,"c_to_s_max":593,"c_to_s_stddev":139.7,"s_to_c_min":66,"s_to_c_avg":1109.8,"s_to_c_max":2946,"s_to_c_stddev":769.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630544728,"flow_dst_last_pkt_time":1460821630545903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":19825,"midstream":0,"thread_ts_usec":1460821630545903,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":29,"flow_avg":24597.4,"flow_max":99851,"flow_stddev":28614.0,"c_to_s_min":60,"c_to_s_avg":31722.7,"c_to_s_max":99851,"c_to_s_stddev":33225.0,"s_to_c_min":29,"s_to_c_avg":20097.2,"s_to_c_max":57902,"s_to_c_stddev":24214.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":113.2,"c_to_s_max":593,"c_to_s_stddev":139.7,"s_to_c_min":66,"s_to_c_avg":1109.8,"s_to_c_max":2946,"s_to_c_stddev":769.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":90,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":49,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821631220936,"flow_dst_last_pkt_time":1460821631269756,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":67444,"midstream":0,"thread_ts_usec":1460821631269756,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":90,"source":"git.pcap","alias":"nDPId-test","packets-captured":90,"packets-processed":90,"total-skipped-flows":0,"total-l4-payload-len":68049,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1460821631269756} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121524/121524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1356 chars -~~ json string avg len.......: 879 chars +~~ json string max len.......: 1337 chars +~~ json string avg len.......: 870 chars diff --git a/test/results/gnutella.pcap.out b/test/results/gnutella.pcap.out index 12a58e7ca..9540fffdf 100644 --- a/test/results/gnutella.pcap.out +++ b/test/results/gnutella.pcap.out @@ -1117,10 +1117,10 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1296,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":267,"flow_packet_id":3,"flow_src_last_pkt_time":99778426,"flow_dst_last_pkt_time":90738015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778426,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0Rs5AAIAGRA0KAAIPyAeb0sRzbs28TEPZAAAAAIAC+vDQzwAAAgQFtAEDAwgBAQQC"} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1297,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":286,"flow_packet_id":3,"flow_src_last_pkt_time":99778446,"flow_dst_last_pkt_time":90745561,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778446,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0O4NAAIAGzRIKAAIPTG6ZscSGnFbyaQhuAAAAAIAC+vAmPAAAAgQFtAEDAwgBAQQC"} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1298,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":266,"flow_packet_id":3,"flow_src_last_pkt_time":99778471,"flow_dst_last_pkt_time":90737440,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778471,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0gg9AAIAGKkQKAAIPSVn5CMRyxdmnmnGXAAAAAIAC+vCCMAAAAgQFtAEDAwgBAQQC"} -01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":239,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":88704875,"flow_src_last_pkt_time":100541304,"flow_dst_last_pkt_time":100658601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":10762,"midstream":0,"thread_ts_usec":100658601,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"75.133.101.93","src_port":50285,"dst_port":52367,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":68,"flow_avg":949591.5,"flow_max":8796467,"flow_stddev":2314066.5,"c_to_s_min":223,"c_to_s_avg":1417938.5,"c_to_s_max":8737919,"c_to_s_stddev":2706807.0,"s_to_c_min":68,"s_to_c_avg":629143.5,"s_to_c_max":8796467,"s_to_c_stddev":1937251.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":134.6,"c_to_s_max":653,"c_to_s_stddev":170.5,"s_to_c_min":54,"s_to_c_avg":620.6,"s_to_c_max":1514,"s_to_c_stddev":539.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +01461{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":239,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":88704875,"flow_src_last_pkt_time":100541304,"flow_dst_last_pkt_time":100658601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":10762,"midstream":0,"thread_ts_usec":100658601,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"75.133.101.93","src_port":50285,"dst_port":52367,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":68,"flow_avg":767424.4,"flow_max":8796467,"flow_stddev":2113226.8,"c_to_s_min":223,"c_to_s_avg":986369.1,"c_to_s_max":8737919,"c_to_s_stddev":2348636.0,"s_to_c_min":68,"s_to_c_avg":629143.5,"s_to_c_max":8796467,"s_to_c_stddev":1937251.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":134.6,"c_to_s_max":653,"c_to_s_stddev":170.5,"s_to_c_min":54,"s_to_c_avg":620.6,"s_to_c_max":1514,"s_to_c_stddev":539.8}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 01456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1320,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":316,"flow_packet_id":2,"flow_src_last_pkt_time":95784128,"flow_dst_last_pkt_time":100920359,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":100920359,"pkt":"CAAn5uVZUlQAEjUCCABFAALzBEAAAEARxyNeNkJSCgACD\/iVcAkC34d4LkYxAuq77b+oti7DkMaMrEQAAMACAAAGR1RLRwAA+wNHJRwgXbAuWugSpAUSxJsCHL8EXjZCUviVAQAAAAR+IhyrFEdUS0cAAOCbIyHZHrkrYnNgnMXp7j9XkbO8BG2EvGL1g1dTSFIAAPJ8p2NaB+IvDcmOjYwpnv4Dgo0cBBinyTW4skdUS0cAAPLJywhbkrobDN\/JQ6AnuEOyGSGjBLBjsBQYykdUS0cAAPdrnSa2ww\/WjIRLC1ipyWI+KDekBGjurPpb\/FdTSFIAAPUb1vVQWKsuipKs18obx69UnmxtBEftyls+9UdUS0cAAPXAlRBP9j9OpxXVbJllgFo1AUWcBFzZVBBO\/0dUS0cAAPk7PafFnhokmbg2Skj0CN9dtWlxBGDszQeH6kdUS0cAAP2LxejmjNINBLJfc3hRxQZnhG+dBK23t27qEEdUS0cAAMJCPsbCyFi2EKuhIjR8FOxLMgMMBKSEChnYBkdUS0cAAMs4SkQs8Plx39K+G3osYia2QR5gBLnsyIm8DkdUS0cAANFgvV19Qr+DjCD+VI9ncRVX3pcfBLyly75V61dTSFIAANEo391sZyCjuFpU0yy2PWYlrl8ABC1Yddsa\/UdUS0cAANCctnuhx+ItXQPhY9ykozj36PhcBGD2nH7bBkdUS0cAANY8nyC9cCseHTJEnvv8hZLF1GA+BEn6s+1RcEdUS0cAAN60b0CUs3pQ36DSdMP3NoNcDa2fBFOgjzCQrEdUS0cAAKZeyrvsa5mvejLQ38QnOIQ2zbdtBGQB54rc7ldTSFIAAKQeYlqSZYffwoHRlw8bFrfmBFSvBFQcNeGvO1dTSFIAAKr7G8iP9T\/W+jUmPMkpEJiqR57KBMvcaRtLPEdUS0cAAK10JPaTOb0hgYkPVi8cpzY7gtJoBFx1+WIan0dUS0cAALNy1PV19iuZm7NzjEzMA6wUOO22BFJALAsFSA=="} -01460{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1333,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":238,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":88704150,"flow_src_last_pkt_time":101062565,"flow_dst_last_pkt_time":101062734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":600,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1062,"flow_dst_tot_l4_payload_len":6684,"midstream":0,"thread_ts_usec":101062734,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.156.226.72","src_port":50284,"dst_port":53258,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":978532.7,"flow_max":8218469,"flow_stddev":2186458.2,"c_to_s_min":372,"c_to_s_avg":1184653.9,"c_to_s_max":8175797,"c_to_s_stddev":2382751.2,"s_to_c_min":1,"s_to_c_avg":772411.5,"s_to_c_max":8218469,"s_to_c_stddev":1949031.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":121.1,"c_to_s_max":654,"c_to_s_stddev":156.5,"s_to_c_min":54,"s_to_c_avg":472.0,"s_to_c_max":1078,"s_to_c_stddev":453.4}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} -01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1370,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":288,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90745963,"flow_src_last_pkt_time":101065402,"flow_dst_last_pkt_time":101065057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":601,"flow_dst_max_l4_payload_len":628,"flow_src_tot_l4_payload_len":1115,"flow_dst_tot_l4_payload_len":1487,"midstream":0,"thread_ts_usec":101065402,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.238.172.250","src_port":50312,"dst_port":23548,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":346,"flow_avg":665358.5,"flow_max":8692014,"flow_stddev":2077729.4,"c_to_s_min":346,"c_to_s_avg":685773.6,"c_to_s_max":8643736,"c_to_s_stddev":2068396.2,"s_to_c_min":360,"s_to_c_avg":644943.4,"s_to_c_max":8692014,"s_to_c_stddev":2086821.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":124.4,"c_to_s_max":655,"c_to_s_stddev":155.5,"s_to_c_min":54,"s_to_c_avg":147.2,"s_to_c_max":682,"s_to_c_stddev":182.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +01459{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1333,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":238,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":88704150,"flow_src_last_pkt_time":101062565,"flow_dst_last_pkt_time":101062734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":600,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1062,"flow_dst_tot_l4_payload_len":6684,"midstream":0,"thread_ts_usec":101062734,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.156.226.72","src_port":50284,"dst_port":53258,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":797322.6,"flow_max":8218469,"flow_stddev":1970792.9,"c_to_s_min":372,"c_to_s_avg":823894.3,"c_to_s_max":8175797,"c_to_s_stddev":1993400.2,"s_to_c_min":1,"s_to_c_avg":772411.5,"s_to_c_max":8218469,"s_to_c_stddev":1949031.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":121.1,"c_to_s_max":654,"c_to_s_stddev":156.5,"s_to_c_min":54,"s_to_c_avg":472.0,"s_to_c_max":1078,"s_to_c_stddev":453.4}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1370,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":288,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90745963,"flow_src_last_pkt_time":101065402,"flow_dst_last_pkt_time":101065057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":601,"flow_dst_max_l4_payload_len":628,"flow_src_tot_l4_payload_len":1115,"flow_dst_tot_l4_payload_len":1487,"midstream":0,"thread_ts_usec":101065402,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.238.172.250","src_port":50312,"dst_port":23548,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":346,"flow_avg":665759.1,"flow_max":8692014,"flow_stddev":2110974.0,"c_to_s_min":346,"c_to_s_avg":687962.6,"c_to_s_max":8643736,"c_to_s_stddev":2136212.5,"s_to_c_min":360,"s_to_c_avg":644943.4,"s_to_c_max":8692014,"s_to_c_stddev":2086821.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":124.4,"c_to_s_max":655,"c_to_s_stddev":155.5,"s_to_c_min":54,"s_to_c_avg":147.2,"s_to_c_max":682,"s_to_c_stddev":182.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00732{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":101122346,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":101122346,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"203.220.105.27","src_port":28681,"dst_port":19260,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_packet_id":1,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":101122346,"pkt":"UlQAEjUCCAAn5uVZCABFAABt2AwAAIARIW0KAAIPy9xpG3AJSzwAWVR20YMxAsOjfW6uj7unlpr730QAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAONVJKmT8c3egN9Xa0CwzKQP3iGM"} 00972{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":101122346,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":101122346,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"203.220.105.27","src_port":28681,"dst_port":19260,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} @@ -1185,8 +1185,8 @@ 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2009,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":311,"flow_packet_id":3,"flow_src_last_pkt_time":116916595,"flow_dst_last_pkt_time":95753158,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116916595,"pkt":"UlQAEjUCCAAn5uVZCABFAABtSkYAAIARukQKAAIPbYS8YnAJ9YMAWSTZAPYxAt0gaIFrQZ34NDjR2kQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"} 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2010,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":317,"flow_packet_id":3,"flow_src_last_pkt_time":116942486,"flow_dst_last_pkt_time":95892313,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116942486,"pkt":"UlQAEjUCCAAn5uVZCABFAABtkeQAAIARbpkKAAIPYOzNB3AJh+oAWWt89cIxAlSvaqi63PpUHKTx3UQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"} 00589{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2012,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":316,"flow_packet_id":3,"flow_src_last_pkt_time":116952656,"flow_dst_last_pkt_time":100920359,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116952656,"pkt":"UlQAEjUCCAAn5uVZCABFAABtMigAAIARW8EKAAIPXjZCUnAJ+JUAWdgAXr4xAg\/r1cFsj19qlWaDPkQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"} -01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":333,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":114930255,"flow_src_last_pkt_time":119175893,"flow_dst_last_pkt_time":120208521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":533,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":533,"flow_dst_tot_l4_payload_len":25332,"midstream":0,"thread_ts_usec":120208521,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50327,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":893843.8,"flow_max":19079096,"flow_stddev":3297876.0,"c_to_s_min":142,"c_to_s_avg":2332473.5,"c_to_s_max":19079096,"c_to_s_stddev":5602597.0,"s_to_c_min":19,"s_to_c_avg":239921.2,"s_to_c_max":1123233,"s_to_c_stddev":428344.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":108.5,"c_to_s_max":587,"c_to_s_stddev":159.5,"s_to_c_min":54,"s_to_c_avg":1205.6,"s_to_c_max":1514,"s_to_c_stddev":506.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} -01467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2072,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":276,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90742816,"flow_src_last_pkt_time":121143186,"flow_dst_last_pkt_time":117002254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1696,"flow_dst_tot_l4_payload_len":3374,"midstream":0,"thread_ts_usec":121143186,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"188.61.52.183","src_port":50300,"dst_port":11852,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":1790925.0,"flow_max":13801588,"flow_stddev":3877714.2,"c_to_s_min":2797,"c_to_s_avg":1940635.1,"c_to_s_max":13801588,"c_to_s_stddev":3877106.2,"s_to_c_min":49,"s_to_c_avg":1641214.9,"s_to_c_max":13760964,"s_to_c_stddev":3872538.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":160.8,"c_to_s_max":653,"c_to_s_stddev":163.5,"s_to_c_min":54,"s_to_c_avg":265.1,"s_to_c_max":1514,"s_to_c_stddev":375.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":333,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":114930255,"flow_src_last_pkt_time":119175893,"flow_dst_last_pkt_time":120208521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":533,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":533,"flow_dst_tot_l4_payload_len":25332,"midstream":0,"thread_ts_usec":120208521,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50327,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":307222.7,"flow_max":1138736,"flow_stddev":463516.9,"c_to_s_min":142,"c_to_s_avg":471737.6,"c_to_s_max":1138736,"c_to_s_stddev":503378.2,"s_to_c_min":19,"s_to_c_avg":239921.2,"s_to_c_max":1123233,"s_to_c_stddev":428344.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":108.5,"c_to_s_max":587,"c_to_s_stddev":159.5,"s_to_c_min":54,"s_to_c_avg":1205.6,"s_to_c_max":1514,"s_to_c_stddev":506.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} +01467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2072,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":276,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90742816,"flow_src_last_pkt_time":121143186,"flow_dst_last_pkt_time":117002254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1696,"flow_dst_tot_l4_payload_len":3374,"midstream":0,"thread_ts_usec":121143186,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"188.61.52.183","src_port":50300,"dst_port":11852,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":1827735.8,"flow_max":13801588,"flow_stddev":3934254.5,"c_to_s_min":2797,"c_to_s_avg":2026691.4,"c_to_s_max":13801588,"c_to_s_stddev":3989435.2,"s_to_c_min":49,"s_to_c_avg":1641214.9,"s_to_c_max":13760964,"s_to_c_stddev":3872538.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":160.8,"c_to_s_max":653,"c_to_s_stddev":163.5,"s_to_c_min":54,"s_to_c_avg":265.1,"s_to_c_max":1514,"s_to_c_stddev":375.0}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2085,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":335,"flow_packet_id":3,"flow_src_last_pkt_time":121820041,"flow_dst_last_pkt_time":115702290,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":71,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":71,"pkt_l4_len":37,"thread_ts_usec":121820041,"pkt":"UlQAEjUCCAAn5uVZCABFAAA5tigAAIARac8KAAIPDsj\/5XAJkMIAJc6JzTYxAkzkFwP\/aHzSItv7AwABAAYAAADDg0dVRUA="} 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2111,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":319,"flow_packet_id":3,"flow_src_last_pkt_time":123877237,"flow_dst_last_pkt_time":95941178,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":123877237,"pkt":"UlQAEjUCCAAn5uVZCABFAABtptcAAIAR2PwKAAIPpIQKGXAJ2AYAWdpE9ZMxAnuYArMNMRKsJogRPUQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAIek2ZxoyMuuDPvZIwnux4CwuAqS"} 00731{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2113,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":337,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":123912290,"flow_src_last_pkt_time":123912290,"flow_dst_last_pkt_time":123912290,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":123912290,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"24.116.64.132","src_port":28681,"dst_port":51227,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -1216,7 +1216,7 @@ 00588{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2125,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":344,"flow_packet_id":1,"flow_src_last_pkt_time":124090730,"flow_dst_last_pkt_time":124090730,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":124090730,"pkt":"UlQAEjUCCAAn5uVZCABFAABtN+oAAIARg3wKAAIPzyaj5HAJGnoAWUl8GqIxAsDHb8ARC\/TCVyKtTkQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAIek2ZxoyMuuDPvZIwnux4CwuAqS"} 00971{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2125,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":344,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":124090730,"flow_src_last_pkt_time":124090730,"flow_dst_last_pkt_time":124090730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":124090730,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"207.38.163.228","src_port":28681,"dst_port":6778,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 01460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2126,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":340,"flow_packet_id":2,"flow_src_last_pkt_time":124066131,"flow_dst_last_pkt_time":124181723,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":124181723,"pkt":"CAAn5uVZUlQAEjUCCABFAALzBkkAAEARxyomjnfqCgACD8JEcAkC3z99SEIxAiBrw4qXLe42xzCJ9UQAAMACAAAGR1RLRwAAjVz9Bf0jf1LZ5zMd\/xsbFCoGHdIEJo536sJEAQAAAAT9X3JyFEdUS0cAAIQFsf+Bv2njsZMOcK5XBzk5Qq3rBN3GzcRRKkdUS0cAAIPPdMtTw3ywAQrcKHskULaFt8T9BFd7NurTckdUS0cAAIBDDfCNVDqFgBWTNBe\/R1a2V7AXBLm7Sq3Q8VdTSFIAAIsML3baZ9qjEzov01XuwUWPp8CvBBiB6TxOFldTSFIAAIgInuBYn2DWNYTpgSOhE3nGOSSqBGLQGpoTgldTSFIAAJMpLUy99S6l5+o3G\/7HZbY0zUPGBFnUW5sUS1NOT1cAAJJLJdecP9uDvZhuUeP7MwcedtuWBM8mo+QaekdUS0cAAJ6Xxzbx1oA8a67zMFTEYzHds+ukBEziVWkYyldTSFIAAJ7Bez1ZQQgPxovuLAykgS8CMrDdBLAKqQox\/0dUS0cAAJp\/6ofTpH0Z7c9sfONgy\/6jjg5ZBFTFYV4FUFdTSFIAAJgFqYyWS9v2Yq4KyYrmzTVJWc5SBGP6\/WMuK0dUS0cAAKZeyrvsa5mvejLQ38QnOIQ2zbdtBGQB54rc7ldTSFIAAKQeYlqSZYffwoHRlw8bFrfmBFSvBFQcNeGvO0dUS0cAAK10JPaTOb0hgYkPVi8cpzY7gtJoBFx1+WIan1dTSFIAAKr7G8iP9T\/W+jUmPMkpEJiqR57KBMvcaRtLPEdUS0cAALd6AZ7svQKtiRxAHRTzpxSemu\/LBNXlb+ATDEdUS0cAALSr6ArQaneMzMJ81PWuqjO12gqLBLV2NdR1LkdUS0cAALNy1PV19iuZm7NzjEzMA6wUOO22BFJALAsFSEdUS0cAALFbZ+HgSIrho0RaGRNTd1qTgMZFBC0fmHBo40dUS0cAAL1cZVAaZZhJTOPlkpw6jfT8aYRtBD\/kr6kHkA=="} -01698{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2138,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":334,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":114930776,"flow_src_last_pkt_time":123432179,"flow_dst_last_pkt_time":124445371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":538,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":538,"flow_dst_tot_l4_payload_len":22968,"midstream":0,"thread_ts_usec":124445371,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"189.147.72.83","src_port":50328,"dst_port":26108,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":42,"flow_avg":1159238.0,"flow_max":19079617,"flow_stddev":3256879.5,"c_to_s_min":1788,"c_to_s_avg":2507365.5,"c_to_s_max":19079617,"c_to_s_stddev":5253336.0,"s_to_c_min":42,"s_to_c_avg":453075.9,"s_to_c_max":1208824,"s_to_c_stddev":506891.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":104.0,"c_to_s_max":592,"c_to_s_stddev":154.4,"s_to_c_min":54,"s_to_c_avg":1147.9,"s_to_c_max":1514,"s_to_c_stddev":453.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} +01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2138,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":334,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":114930776,"flow_src_last_pkt_time":123432179,"flow_dst_last_pkt_time":124445371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":538,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":538,"flow_dst_tot_l4_payload_len":22968,"midstream":0,"thread_ts_usec":124445371,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"189.147.72.83","src_port":50328,"dst_port":26108,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":42,"flow_avg":581161.2,"flow_max":1214808,"flow_stddev":505873.5,"c_to_s_min":1788,"c_to_s_avg":850140.3,"c_to_s_max":1214808,"c_to_s_stddev":383329.7,"s_to_c_min":42,"s_to_c_avg":453075.9,"s_to_c_max":1208824,"s_to_c_stddev":506891.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":104.0,"c_to_s_max":592,"c_to_s_stddev":154.4,"s_to_c_min":54,"s_to_c_avg":1147.9,"s_to_c_max":1514,"s_to_c_stddev":453.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} 00730{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2164,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":126831784,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126831784,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":126831784,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50330,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2164,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_packet_id":1,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126831784,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":126831784,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0bCBAAIAGmjkKAAIPRXai5cSatzq0d6IdAAAAAIAC+vCtSgAAAgQFtAEDAwgBAQQC"} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2165,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_packet_id":2,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126943376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":126943376,"pkt":"CAAn5uVZUlQAEjUCCABFAAAsBmMAAEAGf\/9FdqLlCgACD7c6xJoBCaABtHeiHmAS\/\/8wNgAAAgQFtA=="} @@ -1267,7 +1267,7 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":114,"flow_packet_id":2,"flow_src_last_pkt_time":131673544,"flow_dst_last_pkt_time":71540581,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673544,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0Wk0AAIARMwEKAAIPVhdLRXAJGMoAIGjuR05EED8SAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_src_last_pkt_time":131673716,"flow_dst_last_pkt_time":82058208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673716,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0rD4AAIARiPIKAAIPVuOilnAJGMoAIBDQR05EED8TAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2267,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":111,"flow_packet_id":2,"flow_src_last_pkt_time":131673854,"flow_dst_last_pkt_time":71540138,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673854,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0JF4AAIARIm4KAAIPWkGNnXAJGMoAICJqR05EED8UAQFUC1FLUlAGUk5BXS\/iNQlw"} -01469{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2277,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":93,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":71205274,"flow_src_last_pkt_time":117002547,"flow_dst_last_pkt_time":132821508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":304,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":2420,"midstream":0,"thread_ts_usec":132821508,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"109.214.154.216","src_port":50248,"dst_port":6346,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1091,"flow_avg":3453393.0,"flow_max":22684647,"flow_stddev":6157411.0,"c_to_s_min":2576,"c_to_s_avg":3492310.0,"c_to_s_max":22633783,"c_to_s_stddev":6006610.0,"s_to_c_min":1091,"s_to_c_avg":3423124.0,"s_to_c_max":22684647,"s_to_c_stddev":6272028.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":105.2,"c_to_s_max":358,"c_to_s_stddev":80.3,"s_to_c_min":54,"s_to_c_avg":188.7,"s_to_c_max":1078,"s_to_c_stddev":275.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +01469{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2277,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":93,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":71205274,"flow_src_last_pkt_time":117002547,"flow_dst_last_pkt_time":132821508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":304,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":2420,"midstream":0,"thread_ts_usec":132821508,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"109.214.154.216","src_port":50248,"dst_port":6346,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1091,"flow_avg":3464951.8,"flow_max":22684647,"flow_stddev":6255594.5,"c_to_s_min":2576,"c_to_s_avg":3522867.0,"c_to_s_max":22633783,"c_to_s_stddev":6232305.0,"s_to_c_min":1091,"s_to_c_avg":3423124.0,"s_to_c_max":22684647,"s_to_c_stddev":6272028.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":105.2,"c_to_s_max":358,"c_to_s_stddev":80.3,"s_to_c_min":54,"s_to_c_avg":188.7,"s_to_c_max":1078,"s_to_c_stddev":275.6}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00733{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2280,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":353,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":132831233,"flow_src_last_pkt_time":132831233,"flow_dst_last_pkt_time":132831233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":132831233,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"195.181.151.217","src_port":28681,"dst_port":25282,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2280,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":353,"flow_packet_id":1,"flow_src_last_pkt_time":132831233,"flow_dst_last_pkt_time":132831233,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":132831233,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0BqoAAIARzHEKAAIPw7WX2XAJYsIAIGTAR05EED8VAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2281,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":138,"flow_packet_id":2,"flow_src_last_pkt_time":132831544,"flow_dst_last_pkt_time":72853189,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":132831544,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0jJMAAIARUAgKAAIPp3KqnHAJXSQAIHPdR05EED8WAQFUC1FLUlAGUk5BXS\/iNQlw"} @@ -1369,7 +1369,7 @@ 00970{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2817,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":368,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":174343218,"flow_src_last_pkt_time":174343218,"flow_dst_last_pkt_time":174343218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":86,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":174343218,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"47.147.52.21","src_port":28681,"dst_port":36728,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 01459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2827,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":367,"flow_packet_id":2,"flow_src_last_pkt_time":174342792,"flow_dst_last_pkt_time":174648242,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":174648242,"pkt":"CAAn5uVZUlQAEjUCCABFAALzB\/MAAEARKy2VHKOvCgACD8MkcAkC37mfNNYxAkNtQBP87WWbzy94OkQAAMACAAAGR1RLRwAAQTW8kBkL86J3th0pUYoQZu1JqkUElRyjr8MkAQAAAAThq6+iFEdUS0cAAFxg+taEWAYB1unX7flSWQRG3beNBGic4kjQCkdUS0cAAFuWTCQAv7KdBMgSGC6mmSLY5\/ECBMKjtH4qSVdTSFIAAFpCOi4aZIiG9lYEyciBumqkMMTzBMY62gy7KEdUS0cAAFf2jq05FgyfJOGIcRJLg6NdtQ1eBLw9NLcuTEdUS0cAAFYaYH8fxSMCFJGx6KJ1XnlYMcAbBL7A0rYaYkdUS0cAAFFI2BA3K8AVe0IqJAEnw9\/D630lBI6EpQ13ZkdUS0cAAFITSOd3gRniYdJwpHJZH2SZ8zLzBFaBxFQmu1dTSFIAAEwNRRSjJbzqx43c9rTKLbxkbHgKBF4IN57HxEdUS0cAAElxJg9dajjzW3txW7a4q7j8IGI0BFHNWy2VmVdTSFIAAEJDtkelhifx87ftq707Fzo\/U0PdBC+TNBWPeEdUS0cAAGqU5DC0wpx7Tt\/+AtuQJkODlGIrBC\/cuoxr+UdUS0cAAGSQPhJYYczqO9fA1uqwCWebPjcpBMEgftbozEdUS0cAAGfwY9tAxh1AXF0ZU2EOIfqDQ08tBHbwRccYzEdUS0cAAGcZJHUoqfb+iSo9+1Aaw4nAX4zABFAH\/MAa6EdUS0cAABnDsbPWKLbuWCN54AyWtjRM+4cSBFlLNBOzukdUS0cAABjf5v+Urk90V\/WPMxinQSIciE4\/BDzxMMJTNUdUS0cAABiF4URzeX7Vdi93GjTzJphEA0s1BC6AcmsZsldTSFIAABreJpDCEhk5HaHmWa2KZ2KgQT+tBFLZsDQdFkdUS0cAABpaaFBDXGgpcSmxYhITGidbcBteBEuFZV3Mj0dUS0cAABZMZh8YJqCRZ8rsFWpJujOrF1VMBFHNWy2cyQ=="} 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2979,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":335,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":115369554,"flow_src_last_pkt_time":182706957,"flow_dst_last_pkt_time":122157131,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":29,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":124,"midstream":0,"thread_ts_usec":182706957,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"14.200.255.229","src_port":28681,"dst_port":37058,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":""}}} -01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3028,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":94,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":71205609,"flow_src_last_pkt_time":187576304,"flow_dst_last_pkt_time":187064352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":713,"flow_dst_tot_l4_payload_len":3012,"midstream":0,"thread_ts_usec":187576304,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.208.180.181","src_port":50249,"dst_port":45883,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":276,"flow_avg":7353901.0,"flow_max":55455380,"flow_stddev":14058455.0,"c_to_s_min":276,"c_to_s_avg":7466631.0,"c_to_s_max":55455380,"c_to_s_stddev":14014488.0,"s_to_c_min":805,"s_to_c_avg":7241171.5,"s_to_c_max":55396943,"s_to_c_stddev":14101385.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":99.3,"c_to_s_max":357,"c_to_s_stddev":76.5,"s_to_c_min":54,"s_to_c_avg":242.5,"s_to_c_max":1119,"s_to_c_stddev":321.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3028,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":94,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":71205609,"flow_src_last_pkt_time":187576304,"flow_dst_last_pkt_time":187064352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":713,"flow_dst_tot_l4_payload_len":3012,"midstream":0,"thread_ts_usec":187576304,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.208.180.181","src_port":50249,"dst_port":45883,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":276,"flow_avg":7491272.5,"flow_max":55455380,"flow_stddev":14262251.0,"c_to_s_min":276,"c_to_s_avg":7758046.5,"c_to_s_max":55455380,"c_to_s_stddev":14427086.0,"s_to_c_min":805,"s_to_c_avg":7241171.5,"s_to_c_max":55396943,"s_to_c_stddev":14101385.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":99.3,"c_to_s_max":357,"c_to_s_stddev":76.5,"s_to_c_min":54,"s_to_c_avg":242.5,"s_to_c_max":1119,"s_to_c_stddev":321.7}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3065,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":116,"flow_packet_id":2,"flow_src_last_pkt_time":191700213,"flow_dst_last_pkt_time":71540796,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700213,"pkt":"UlQAEjUCCAAn5uVZCABFAAA00HEAAIARI3sKAAIPfCy+kXAJJ7oAIMCGR05EED8oAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3066,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":2,"flow_src_last_pkt_time":191700445,"flow_dst_last_pkt_time":82062863,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700445,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0uoEAAIARu5gKAAIPXFhcOHAJUhEAIBhcR05EED8pAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3067,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":209,"flow_packet_id":3,"flow_src_last_pkt_time":191700671,"flow_dst_last_pkt_time":82066425,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700671,"pkt":"UlQAEjUCCAAn5uVZCABFAAA06UYAAIARhsYKAAIPW7Ni6nAJGMoAIEuVR05EED8qAQFUC1FLUlAGUk5BXS\/iNQlw"} diff --git a/test/results/googledns_android10.pcap.out b/test/results/googledns_android10.pcap.out index 5db1179cf..c549263c9 100644 --- a/test/results/googledns_android10.pcap.out +++ b/test/results/googledns_android10.pcap.out @@ -25,7 +25,7 @@ 01167{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826049329,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552826051495,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826080321,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1592552826080321,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01732{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826081468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":2836,"midstream":0,"thread_ts_usec":1592552826081468,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}}} -01592{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":80,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552827147738,"flow_dst_last_pkt_time":1592552827146388,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592552827147738,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":99,"flow_avg":70195.7,"flow_max":447414,"flow_stddev":120116.9,"c_to_s_min":349,"c_to_s_avg":71023.6,"c_to_s_max":386701,"c_to_s_stddev":111319.8,"s_to_c_min":99,"s_to_c_avg":69367.7,"s_to_c_max":447414,"s_to_c_stddev":128307.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":131.6,"c_to_s_max":225,"c_to_s_stddev":75.0,"s_to_c_min":66,"s_to_c_avg":432.9,"s_to_c_max":1484,"s_to_c_stddev":451.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +01592{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":80,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552827147738,"flow_dst_last_pkt_time":1592552827146388,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592552827147738,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":99,"flow_avg":71648.9,"flow_max":447414,"flow_stddev":121761.7,"c_to_s_min":349,"c_to_s_avg":74082.2,"c_to_s_max":386701,"c_to_s_stddev":114317.8,"s_to_c_min":99,"s_to_c_avg":69367.7,"s_to_c_max":447414,"s_to_c_stddev":128307.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":131.6,"c_to_s_max":225,"c_to_s_stddev":75.0,"s_to_c_min":66,"s_to_c_avg":432.9,"s_to_c_max":1484,"s_to_c_stddev":451.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00731{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552827426405,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"thread_ts_usec":1592552827426405,"pkt":"EBMx8Tl2ag\/ahpuQCABFAABUl9BAAEAB0IHAqAGfCAgICAgA4JUAAgABem3sXgAAAADqxwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="} 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552827426405,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":5.297900}} @@ -40,7 +40,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1592552878563796,"flow_dst_last_pkt_time":1592552878562423,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1592552878563796,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA0PO9AAEAGL4LAqAGfCAgEBLviA1WhETzKd2wcRoAQAVeSlgAAAQEICgAAACw7E6h3"} 01168{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":162,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552878564695,"flow_dst_last_pkt_time":1592552878562423,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552878564695,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01226{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":164,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552878564695,"flow_dst_last_pkt_time":1592552878577421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":147,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":147,"midstream":0,"thread_ts_usec":1592552878577421,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"1249fb68f48c0444718e4d3b48b27188","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552881411235,"flow_dst_last_pkt_time":1592552881429656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1592552881429656,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":79,"flow_avg":388715.3,"flow_max":6697353,"flow_stddev":1181925.6,"c_to_s_min":899,"c_to_s_avg":597431.9,"c_to_s_max":6697353,"c_to_s_stddev":1608628.9,"s_to_c_min":79,"s_to_c_avg":179998.7,"s_to_c_max":1253719,"s_to_c_stddev":345085.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":161.6,"c_to_s_max":583,"c_to_s_stddev":131.2,"s_to_c_min":66,"s_to_c_avg":262.8,"s_to_c_max":565,"s_to_c_stddev":236.6}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +01494{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552881411235,"flow_dst_last_pkt_time":1592552881429656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1592552881429656,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":79,"flow_avg":185210.9,"flow_max":1253719,"flow_stddev":341703.1,"c_to_s_min":899,"c_to_s_avg":190770.5,"c_to_s_max":1234142,"c_to_s_stddev":337969.1,"s_to_c_min":79,"s_to_c_avg":179998.7,"s_to_c_max":1253719,"s_to_c_stddev":345085.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":161.6,"c_to_s_max":583,"c_to_s_stddev":131.2,"s_to_c_min":66,"s_to_c_avg":262.8,"s_to_c_max":565,"s_to_c_stddev":236.6}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00881{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552828402579,"flow_dst_last_pkt_time":1592552828415412,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":128,"midstream":0,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00884{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1592552824409182,"flow_src_last_pkt_time":1592552826207745,"flow_dst_last_pkt_time":1592552826208808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"DoH_DoT.Google","proto_id":"196.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00761{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1592552824409182,"flow_src_last_pkt_time":1592552826207745,"flow_dst_last_pkt_time":1592552826208808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -56,7 +56,7 @@ 01168{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":295,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007051414,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592553007088078,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":297,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007118877,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1592553007118877,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01733{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007118996,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":2836,"midstream":0,"thread_ts_usec":1592553007118996,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}}} -01605{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":323,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553013061132,"flow_dst_last_pkt_time":1592553013091250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592553013091250,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":78,"flow_avg":717929.4,"flow_max":10895416,"flow_stddev":2281755.0,"c_to_s_min":103,"c_to_s_avg":1057470.0,"c_to_s_max":10895416,"c_to_s_stddev":2879416.8,"s_to_c_min":78,"s_to_c_avg":378388.9,"s_to_c_max":5703762,"s_to_c_stddev":1375207.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":131.6,"c_to_s_max":225,"c_to_s_stddev":75.0,"s_to_c_min":66,"s_to_c_avg":432.9,"s_to_c_max":1484,"s_to_c_stddev":451.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":323,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553013061132,"flow_dst_last_pkt_time":1592553013091250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592553013091250,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":78,"flow_avg":389623.4,"flow_max":5703762,"flow_stddev":1387530.2,"c_to_s_min":103,"c_to_s_avg":401606.9,"c_to_s_max":5640736,"c_to_s_stddev":1400455.2,"s_to_c_min":78,"s_to_c_avg":378388.9,"s_to_c_max":5703762,"s_to_c_stddev":1375207.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":131.6,"c_to_s_max":225,"c_to_s_stddev":75.0,"s_to_c_min":66,"s_to_c_avg":432.9,"s_to_c_max":1484,"s_to_c_stddev":451.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 01058{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":68,"flow_dst_packets_processed":65,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552996489587,"flow_dst_last_pkt_time":1592552996502369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":5210,"flow_dst_tot_l4_payload_len":14618,"midstream":0,"thread_ts_usec":1592553079303170,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 01167{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":121,"flow_dst_packets_processed":120,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553079303170,"flow_dst_last_pkt_time":1592553079299653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":11059,"flow_dst_tot_l4_payload_len":37798,"midstream":0,"thread_ts_usec":1592553079303170,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00575{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","packets-captured":532,"packets-processed":532,"total-skipped-flows":0,"total-l4-payload-len":97842,"total-not-detected-flows":0,"total-guessed-flows":2,"total-detected-flows":6,"total-detection-updates":9,"total-updates":0,"current-active-flows":0,"total-active-flows":8,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":62,"global_ts_usec":1592553079303170} diff --git a/test/results/http-manipulated.pcap.out b/test/results/http-manipulated.pcap.out index fa9b377b1..bb583edcd 100644 --- a/test/results/http-manipulated.pcap.out +++ b/test/results/http-manipulated.pcap.out @@ -11,7 +11,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":946729142063151,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":946729142063378,"pkt":"ABjzZLGI0h+5iIqPCABFAAA0AABAAEAGuVjAqAAHwKgAFB+Qg5SNfRmbETdtNIAS+vAp\/QAAAgQFtAEBBAIBAwMG"} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":946729142063387,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":946729142063387,"pkt":"0h+5iIqPABjzZLGICABFAAAosvpAAL4GiGnAqAAUwKgAB4OUH5ARN200jX0ZnFAQAfaBhgAA"} 01228{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142063498,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946729142063498,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.lan","http": {"url":"www.lan:8080\/aaaaaaaaaaaaaaaaaaaaaaaa_very_long_uri","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:81.0) Gecko\/20100101 Firefox\/81.0","detected_os":"Linux x86_64"}}} -01486{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142137590,"flow_dst_last_pkt_time":946729142137635,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":5840,"flow_src_tot_l4_payload_len":721,"flow_dst_tot_l4_payload_len":44377,"midstream":0,"thread_ts_usec":946729142137635,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":38776304.0,"flow_max":1240692745,"flow_stddev":215870560.0,"c_to_s_min":7,"c_to_s_avg":77547952.0,"c_to_s_max":1240692745,"c_to_s_stddev":300322688.0,"s_to_c_min":9,"s_to_c_avg":4655.2,"s_to_c_max":73065,"s_to_c_stddev":17663.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":99.8,"c_to_s_max":440,"c_to_s_stddev":119.3,"s_to_c_min":60,"s_to_c_avg":2829.1,"s_to_c_max":5894,"s_to_c_stddev":1943.5}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01460{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142137590,"flow_dst_last_pkt_time":946729142137635,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":5840,"flow_src_tot_l4_payload_len":721,"flow_dst_tot_l4_payload_len":44377,"midstream":0,"thread_ts_usec":946729142137635,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":4804.0,"flow_max":73065,"flow_stddev":17898.4,"c_to_s_min":7,"c_to_s_avg":4962.6,"c_to_s_max":72850,"c_to_s_stddev":18144.1,"s_to_c_min":9,"s_to_c_avg":4655.2,"s_to_c_max":73065,"s_to_c_stddev":17663.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":99.8,"c_to_s_max":440,"c_to_s_stddev":119.3,"s_to_c_min":60,"s_to_c_avg":2829.1,"s_to_c_max":5894,"s_to_c_stddev":1943.5}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01034{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":946727901369326,"flow_src_last_pkt_time":946727901370537,"flow_dst_last_pkt_time":946727901370531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":577,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":946729148160196,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33632,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01045{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":156,"flow_dst_packets_processed":162,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729148159974,"flow_dst_last_pkt_time":946729148160196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":29200,"flow_src_tot_l4_payload_len":973,"flow_dst_tot_l4_payload_len":939919,"midstream":0,"thread_ts_usec":946729148160196,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00572{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","packets-captured":328,"packets-processed":328,"total-skipped-flows":0,"total-l4-payload-len":941545,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":946729148160196} @@ -28,5 +28,5 @@ ~~ total allocations/frees...: 121781/121781 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 487 chars -~~ json string max len.......: 1491 chars -~~ json string avg len.......: 978 chars +~~ json string max len.......: 1465 chars +~~ json string avg len.......: 966 chars diff --git a/test/results/http_auth.pcap.out b/test/results/http_auth.pcap.out index 56937a9ab..f9b943d66 100644 --- a/test/results/http_auth.pcap.out +++ b/test/results/http_auth.pcap.out @@ -5,7 +5,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1381844050222515,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1381844050402547,"pkt":"KM\/pITwrTBfruiThCABFAAA8AABAADgGA2jA\/r2pwKgABABQ1EEDZtH9muIxs6ASOJA\/hAAAAgQFtAQCCAowzbX3H38TuAEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1381844050402655,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1381844050402655,"pkt":"TBfruiThKM\/pITwrCABFAAA0XSJAAEAGnk3AqAAEwP69qdRBAFCa4jGzA2bR\/oAQICuGBAAAAQEICh9\/FGkwzbX3"} 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844050402794,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1381844050402794,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"browserspy.dk","http": {"url":"browserspy.dk\/password-ok.php","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36","detected_os":"Intel Mac OS X 10_8_5"}}} -01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844055865656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057134728,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":139,"flow_avg":86243720.0,"flow_max":2747243683,"flow_stddev":477931136.0,"c_to_s_min":139,"c_to_s_avg":196725408.0,"c_to_s_max":2747243683,"c_to_s_stddev":707387584.0,"s_to_c_min":596,"s_to_c_avg":313507.8,"s_to_c_max":4861805,"s_to_c_stddev":1105693.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":119.6,"c_to_s_max":805,"c_to_s_stddev":190.1,"s_to_c_min":66,"s_to_c_avg":1046.3,"s_to_c_max":1514,"s_to_c_stddev":619.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844055865656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057134728,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":139,"flow_avg":405011.4,"flow_max":4861829,"flow_stddev":1193509.9,"c_to_s_min":139,"c_to_s_avg":531708.7,"c_to_s_max":4861829,"c_to_s_stddev":1294752.2,"s_to_c_min":596,"s_to_c_avg":313507.8,"s_to_c_max":4861805,"s_to_c_stddev":1105693.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":119.6,"c_to_s_max":805,"c_to_s_stddev":190.1,"s_to_c_min":66,"s_to_c_avg":1046.3,"s_to_c_max":1514,"s_to_c_stddev":619.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":19,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844057320871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057320871,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00562{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":18376,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1381844057320871} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121473/121473 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 480 chars -~~ json string max len.......: 1370 chars -~~ json string avg len.......: 897 chars +~~ json string max len.......: 1355 chars +~~ json string avg len.......: 890 chars diff --git a/test/results/http_connect.pcap.out b/test/results/http_connect.pcap.out index 559652641..12f746df6 100644 --- a/test/results/http_connect.pcap.out +++ b/test/results/http_connect.pcap.out @@ -16,8 +16,8 @@ 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1631454722876748,"flow_dst_last_pkt_time":1631454722876712,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1631454722876748,"pkt":"ACWQX+cTAAwpTU5kCABFAAA0Fy5AAEAGx3LAqAGSl2UChIyAAbsTD57breozroAQAfZcSgAAAQEICgoEV40sPaiU"} 01079{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722879577,"flow_dst_last_pkt_time":1631454722876712,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631454722879577,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"apache.org","tls": {"version":"TLSv1.2","ja3":"c834494f5948ae026d160656c93c8871","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01124{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722879577,"flow_dst_last_pkt_time":1631454722895566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1384,"midstream":0,"thread_ts_usec":1631454722895566,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"apache.org","tls": {"version":"TLSv1.3","ja3":"c834494f5948ae026d160656c93c8871","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01324{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722915624,"flow_dst_last_pkt_time":1631454722915766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1070,"flow_dst_tot_l4_payload_len":14818,"midstream":0,"thread_ts_usec":1631454722915766,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14,"flow_avg":3004.0,"flow_max":16011,"flow_stddev":4812.4,"c_to_s_min":19,"c_to_s_avg":3014.0,"c_to_s_max":16011,"c_to_s_stddev":4868.5,"s_to_c_min":14,"s_to_c_avg":2994.0,"s_to_c_max":15010,"s_to_c_stddev":4755.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":133.4,"c_to_s_max":583,"c_to_s_stddev":165.4,"s_to_c_min":66,"s_to_c_avg":992.6,"s_to_c_max":1450,"s_to_c_stddev":625.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722971434,"flow_dst_last_pkt_time":1631454722971505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722971505,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":87679952.0,"flow_max":2805543669,"flow_stddev":488142752.0,"c_to_s_min":4,"c_to_s_avg":200403632.0,"c_to_s_max":2805543669,"c_to_s_stddev":722535872.0,"s_to_c_min":22,"s_to_c_avg":5965.1,"s_to_c_max":53379,"s_to_c_stddev":12391.3},"pktlen": {"c_to_s_min":60,"c_to_s_avg":165.0,"c_to_s_max":571,"c_to_s_stddev":145.2,"s_to_c_min":54,"s_to_c_avg":1317.1,"s_to_c_max":5590,"s_to_c_stddev":1980.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01324{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722915624,"flow_dst_last_pkt_time":1631454722915766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1070,"flow_dst_tot_l4_payload_len":14818,"midstream":0,"thread_ts_usec":1631454722915766,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14,"flow_avg":3086.0,"flow_max":16011,"flow_stddev":4867.3,"c_to_s_min":19,"c_to_s_avg":3184.1,"c_to_s_max":16011,"c_to_s_stddev":4981.9,"s_to_c_min":14,"s_to_c_avg":2994.0,"s_to_c_max":15010,"s_to_c_stddev":4755.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":133.4,"c_to_s_max":583,"c_to_s_stddev":165.4,"s_to_c_min":66,"s_to_c_avg":992.6,"s_to_c_max":1450,"s_to_c_stddev":625.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722971434,"flow_dst_last_pkt_time":1631454722971505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722971505,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":6924.9,"flow_max":53379,"flow_stddev":12836.3,"c_to_s_min":4,"c_to_s_avg":8253.9,"c_to_s_max":50186,"c_to_s_stddev":13314.4,"s_to_c_min":22,"s_to_c_avg":5965.1,"s_to_c_max":53379,"s_to_c_stddev":12391.3},"pktlen": {"c_to_s_min":60,"c_to_s_avg":165.0,"c_to_s_max":571,"c_to_s_stddev":145.2,"s_to_c_min":54,"s_to_c_avg":1317.1,"s_to_c_max":5590,"s_to_c_stddev":1980.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00904{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1631454722867400,"flow_src_last_pkt_time":1631454722867400,"flow_dst_last_pkt_time":1631454722867500,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":55,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"192.168.1.2","src_port":47767,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00907{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":30,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722977215,"flow_dst_last_pkt_time":1631454722977251,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1701,"flow_dst_tot_l4_payload_len":30951,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":22,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722976969,"flow_dst_last_pkt_time":1631454722977036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1904,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -35,5 +35,5 @@ ~~ total allocations/frees...: 121564/121564 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 483 chars -~~ json string max len.......: 1375 chars -~~ json string avg len.......: 926 chars +~~ json string max len.......: 1348 chars +~~ json string avg len.......: 912 chars diff --git a/test/results/http_ipv6.pcap.out b/test/results/http_ipv6.pcap.out index 7f2686855..0a7e86283 100644 --- a/test/results/http_ipv6.pcap.out +++ b/test/results/http_ipv6.pcap.out @@ -20,7 +20,7 @@ 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1448269127960079,"flow_dst_last_pkt_time":1448269127960079,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":260,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":260,"pkt_l4_len":206,"thread_ts_usec":1448269127960079,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAM4RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAsMAgAAAAAAAABf12kBuwDOCoAMj5N114hr41MJBd7sKG9JfODv2KzX0uexKi4OUzkr936AyksmjfKzejWhR1IllABVz6\/Nd8+DDPRvVbNJa4sAljMB\/byd9EnDrnASdvNnincHpyqVPP90d4TSxj+ARZa\/L622T2LNfPxOM6m\/si1ZmPjMCf2wR7DzkfTBciJe2oZugnMhbWbTFVoln8LtSZhpET4oRj3Jk\/IY0Vhm0AHAVNXjHBEt89UVS7Gr6h9OBH5HRJ1TIdTk4GJ40SQl9lgo1l4eCx0="} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1448269127960079,"flow_dst_last_pkt_time":1448269128003411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":143,"pkt_l4_len":89,"thread_ts_usec":1448269128003411,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAAFkRMyoAFFBACwwCAAAAAAAAAF8qAA1AAAEAA3qswP\/+pw1MAbvXaQBZLuIAB1nnejc74Zg5YssedTReRP0KRIf1hcs3Aafoe+Tuwy6JT\/77UOdg9PcT9s8XDyyGEBG\/Mph8KZAg9aAfxnp6BrSLMfMbzThg3fGY8Pw0dHA="} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1448269128028795,"flow_dst_last_pkt_time":1448269128003411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":99,"pkt_l4_len":45,"thread_ts_usec":1448269128028795,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAC0RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAsMAgAAAAAAAABf12kBuwAtCd8Mj5N114hr41MKZOnBWgR9A+MJ4bypcpF9U29vj07q+fvNp9EO"} -01397{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1448269127400446,"flow_src_last_pkt_time":1448269137275811,"flow_dst_last_pkt_time":1448269136257808,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4058,"flow_dst_tot_l4_payload_len":4856,"midstream":0,"thread_ts_usec":1448269137275811,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1512,"flow_avg":585564.1,"flow_max":6008829,"flow_stddev":1466451.0,"c_to_s_min":5326,"c_to_s_avg":581217.1,"c_to_s_max":6008829,"c_to_s_stddev":1425834.9,"s_to_c_min":1512,"s_to_c_avg":590490.8,"s_to_c_max":6008710,"s_to_c_stddev":1511148.5},"pktlen": {"c_to_s_min":99,"c_to_s_avg":300.7,"c_to_s_max":1412,"c_to_s_stddev":378.6,"s_to_c_min":91,"s_to_c_avg":385.7,"s_to_c_max":1412,"s_to_c_stddev":368.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01398{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1448269127400446,"flow_src_last_pkt_time":1448269137275811,"flow_dst_last_pkt_time":1448269136257808,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4058,"flow_dst_tot_l4_payload_len":4856,"midstream":0,"thread_ts_usec":1448269137275811,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1512,"flow_avg":604281.6,"flow_max":6008829,"flow_stddev":1486148.8,"c_to_s_min":26190,"c_to_s_avg":617210.3,"c_to_s_max":6008829,"c_to_s_stddev":1462205.2,"s_to_c_min":1512,"s_to_c_avg":590490.8,"s_to_c_max":6008710,"s_to_c_stddev":1511148.5},"pktlen": {"c_to_s_min":99,"c_to_s_avg":300.7,"c_to_s_max":1412,"c_to_s_stddev":378.6,"s_to_c_min":91,"s_to_c_avg":385.7,"s_to_c_max":1412,"s_to_c_stddev":368.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":84,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1448269138575377,"flow_src_last_pkt_time":1448269138575377,"flow_dst_last_pkt_time":1448269138575377,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1448269138575377,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37486,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1448269138575377,"flow_dst_last_pkt_time":1448269138575377,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1448269138575377,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACgGQCoADUAAAQADeqzA\/\/6nDUwqA7DAAAMA0AAAAAAAcBABkm4Bu5jVbXIAAAAAoAJwgGsaAAACBAWgBAIIChINdycAAAAAAQMDBw=="} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":85,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1448269138575474,"flow_src_last_pkt_time":1448269138575474,"flow_dst_last_pkt_time":1448269138575474,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1448269138575474,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/iax.pcap.out b/test/results/iax.pcap.out index 27340ce94..676c94426 100644 --- a/test/results/iax.pcap.out +++ b/test/results/iax.pcap.out @@ -5,7 +5,7 @@ 00852{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005963862,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":66,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":66,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":66,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1123840005963862,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005966035,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1123840005966035,"pkt":"AOCBJ2JwAMDwli5rCABFAAAoV7tAAEARqSfAqAJ4Um4kVBHWEdkAFBwTgBcABAAAAAEAAQYE"} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005971132,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1123840005971132,"pkt":"AOCBJ2JwAMDwli5rCABFAAAoV71AAEARqSXAqAJ4Um4kVBHWEdkAFBwJgBcABAAAAAgAAQYH"} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006456930,"flow_dst_last_pkt_time":1123840006059195,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3882,"flow_dst_tot_l4_payload_len":372,"midstream":0,"thread_ts_usec":1123840006456930,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":948,"flow_avg":52625356.0,"flow_max":1683423046,"flow_stddev":292899904.0,"c_to_s_min":948,"c_to_s_avg":62367264.0,"c_to_s_max":1683423046,"c_to_s_stddev":317915200.0,"s_to_c_min":2173,"s_to_c_avg":19066.6,"s_to_c_max":51403,"s_to_c_stddev":17893.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":186.4,"c_to_s_max":214,"c_to_s_stddev":48.4,"s_to_c_min":54,"s_to_c_avg":116.4,"s_to_c_max":214,"s_to_c_stddev":76.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01324{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006456930,"flow_dst_last_pkt_time":1123840006059195,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3882,"flow_dst_tot_l4_payload_len":372,"midstream":0,"thread_ts_usec":1123840006456930,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":948,"flow_avg":18980.7,"flow_max":51403,"flow_stddev":10969.1,"c_to_s_min":948,"c_to_s_avg":18964.2,"c_to_s_max":43190,"c_to_s_stddev":9049.0,"s_to_c_min":2173,"s_to_c_avg":19066.6,"s_to_c_max":51403,"s_to_c_stddev":17893.8},"pktlen": {"c_to_s_min":60,"c_to_s_avg":186.4,"c_to_s_max":214,"c_to_s_stddev":48.4,"s_to_c_min":54,"s_to_c_avg":116.4,"s_to_c_max":214,"s_to_c_stddev":76.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00902{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":50,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":22,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006472888,"flow_dst_last_pkt_time":1123840006489877,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":4046,"flow_dst_tot_l4_payload_len":3008,"midstream":0,"thread_ts_usec":1123840006489877,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00555{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":50,"source":"iax.pcap","alias":"nDPId-test","packets-captured":50,"packets-processed":50,"total-skipped-flows":0,"total-l4-payload-len":7054,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1123840006489877} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121484/121484 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1354 chars -~~ json string avg len.......: 881 chars +~~ json string max len.......: 1329 chars +~~ json string avg len.......: 869 chars diff --git a/test/results/icmp-tunnel.pcap.out b/test/results/icmp-tunnel.pcap.out index e56800244..fb60aa7f5 100644 --- a/test/results/icmp-tunnel.pcap.out +++ b/test/results/icmp-tunnel.pcap.out @@ -5,7 +5,7 @@ 00977{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227866459330,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":92,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1360227866459330,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":5.703333}} 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1360227867458100,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1360227867458100,"pkt":"AAwpy+OCAAwpzwzBCABFAABwAABAAEABhDTAqJqDwKiahAgAAAD+\/wAARQAAVAAAQABAASPpCl8BAQpfAQIIAH3tPQgAAi5uE1EKRgYACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} 00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1360227868458136,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1360227868458136,"pkt":"AAwpy+OCAAwpzwzBCABFAABwAABAAEABhDTAqJqDwKiahAgAAAD+\/wAARQAAVAAAQABAASPpCl8BAQpfAQIIAD\/sPQgAAy9uE1FHRgYACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} -01470{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227888466859,"flow_dst_last_pkt_time":1360227888466987,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":2116,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1360227888466987,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":998770,"flow_avg":99309264.0,"flow_max":3133881266,"flow_stddev":545029888.0,"c_to_s_min":998770,"c_to_s_avg":137212560.0,"c_to_s_max":3133881266,"c_to_s_stddev":638891904.0,"s_to_c_min":1000921,"s_to_c_avg":2445295.0,"s_to_c_max":13999352,"s_to_c_stddev":4084976.0},"pktlen": {"c_to_s_min":126,"c_to_s_avg":126.0,"c_to_s_max":126,"c_to_s_stddev":0.0,"s_to_c_min":126,"s_to_c_avg":126.0,"s_to_c_max":126,"s_to_c_stddev":0.0}},"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01454{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227888466859,"flow_dst_last_pkt_time":1360227888466987,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":2116,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1360227888466987,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":998770,"flow_avg":1419844.6,"flow_max":13999352,"flow_stddev":2296693.5,"c_to_s_min":998770,"c_to_s_avg":1000342.2,"c_to_s_max":1001250,"c_to_s_stddev":690.4,"s_to_c_min":1000921,"s_to_c_avg":2445295.0,"s_to_c_max":13999352,"s_to_c_stddev":4084976.0},"pktlen": {"c_to_s_min":126,"c_to_s_avg":126.0,"c_to_s_max":126,"c_to_s_stddev":0.0,"s_to_c_min":126,"s_to_c_avg":126.0,"s_to_c_max":126,"s_to_c_stddev":0.0}},"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01011{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":160,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":87,"flow_dst_packets_processed":60,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228057029534,"flow_dst_last_pkt_time":1360228057029101,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":852,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":9088,"flow_dst_tot_l4_payload_len":8105,"midstream":0,"thread_ts_usec":1360228057029534,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01016{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":214,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":107,"flow_dst_packets_processed":80,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228178094744,"flow_dst_last_pkt_time":1360228178094295,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1036,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":15614,"flow_dst_tot_l4_payload_len":14635,"midstream":0,"thread_ts_usec":1360228178094744,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01016{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":257,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":125,"flow_dst_packets_processed":95,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228298215269,"flow_dst_last_pkt_time":1360228298215435,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1041,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":20754,"flow_dst_tot_l4_payload_len":16362,"midstream":0,"thread_ts_usec":1360228298215435,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -30,5 +30,5 @@ ~~ total allocations/frees...: 122297/122297 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 482 chars -~~ json string max len.......: 1475 chars -~~ json string avg len.......: 977 chars +~~ json string max len.......: 1459 chars +~~ json string avg len.......: 969 chars diff --git a/test/results/iec60780-5-104.pcap.out b/test/results/iec60780-5-104.pcap.out index c30b460ca..a910ed647 100644 --- a/test/results/iec60780-5-104.pcap.out +++ b/test/results/iec60780-5-104.pcap.out @@ -36,7 +36,7 @@ 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":107,"source":"iec60780-5-104.pcap","alias":"nDPId-test","packets-captured":107,"packets-processed":106,"total-skipped-flows":0,"total-l4-payload-len":343,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":3,"total-active-flows":6,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1219992852463357} 00919{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":117,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":10,"flow_first_seen":1219992590188368,"flow_src_last_pkt_time":1219992781349438,"flow_dst_last_pkt_time":1219992781349461,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":24,"midstream":0,"thread_ts_usec":1219992910077446,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1572,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":124,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":5,"flow_first_seen":1219992782348776,"flow_src_last_pkt_time":1219992818955088,"flow_dst_last_pkt_time":1219992818955112,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":17,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":6,"midstream":0,"thread_ts_usec":1219992961194617,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1577,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01368{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219992991664467,"flow_dst_last_pkt_time":1219992991860370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":94,"flow_dst_tot_l4_payload_len":207,"midstream":0,"thread_ts_usec":1219992991860370,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":133,"flow_avg":10769612.0,"flow_max":32516052,"flow_stddev":10848931.0,"c_to_s_min":283,"c_to_s_avg":9090004.0,"c_to_s_max":32485009,"c_to_s_stddev":10621679.0,"s_to_c_min":133,"s_to_c_avg":13224422.0,"s_to_c_max":32516052,"s_to_c_stddev":10708937.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":62.2,"c_to_s_max":70,"c_to_s_stddev":4.0,"s_to_c_min":54,"s_to_c_avg":70.5,"s_to_c_max":118,"s_to_c_stddev":16.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01368{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219992991664467,"flow_dst_last_pkt_time":1219992991860370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":94,"flow_dst_tot_l4_payload_len":207,"midstream":0,"thread_ts_usec":1219992991860370,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":133,"flow_avg":11085131.0,"flow_max":32516052,"flow_stddev":10877058.0,"c_to_s_min":283,"c_to_s_avg":9540088.0,"c_to_s_max":32485009,"c_to_s_stddev":10734939.0,"s_to_c_min":133,"s_to_c_avg":13224422.0,"s_to_c_max":32516052,"s_to_c_stddev":10708937.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":62.2,"c_to_s_max":70,"c_to_s_stddev":4.0,"s_to_c_min":54,"s_to_c_avg":70.5,"s_to_c_max":118,"s_to_c_stddev":16.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00922{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":147,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":19,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219993055118751,"flow_dst_last_pkt_time":1219993055118603,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":263,"midstream":0,"thread_ts_usec":1219993055118751,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":147,"source":"iec60780-5-104.pcap","alias":"nDPId-test","packets-captured":147,"packets-processed":147,"total-skipped-flows":0,"total-l4-payload-len":748,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":6,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":41,"global_ts_usec":1219993055118751} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/imap-starttls.pcap.out b/test/results/imap-starttls.pcap.out index 7c705c7d0..c5b87963d 100644 --- a/test/results/imap-starttls.pcap.out +++ b/test/results/imap-starttls.pcap.out @@ -8,7 +8,7 @@ 01240{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568569894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":271,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":530,"midstream":0,"thread_ts_usec":1437584568570497,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01242{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568767274,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":1990,"midstream":0,"thread_ts_usec":1437584568767274,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01347{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568767550,"flow_dst_last_pkt_time":1437584568769690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":5492,"midstream":0,"thread_ts_usec":1437584568769690,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01222{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":99534664.0,"flow_max":3179266232,"flow_stddev":553136256.0,"c_to_s_min":1,"c_to_s_avg":176782960.0,"c_to_s_max":3179266232,"c_to_s_stddev":728209280.0,"s_to_c_min":9,"s_to_c_avg":215434.1,"s_to_c_max":1677753,"s_to_c_stddev":415756.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":85.3,"c_to_s_max":372,"c_to_s_stddev":75.5,"s_to_c_min":60,"s_to_c_avg":459.9,"s_to_c_max":1514,"s_to_c_stddev":570.9}}} +01205{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":188486.4,"flow_max":1677753,"flow_stddev":378167.8,"c_to_s_min":1,"c_to_s_avg":166294.2,"c_to_s_max":1486951,"c_to_s_stddev":342555.0,"s_to_c_min":9,"s_to_c_avg":215434.1,"s_to_c_max":1677753,"s_to_c_stddev":415756.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":85.3,"c_to_s_max":372,"c_to_s_stddev":75.5,"s_to_c_min":60,"s_to_c_avg":459.9,"s_to_c_max":1514,"s_to_c_stddev":570.9}}} 01348{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01378{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":6193,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1437584570828629} diff --git a/test/results/imap.pcap.out b/test/results/imap.pcap.out index 99fa0ed2c..c71bd8e5e 100644 --- a/test/results/imap.pcap.out +++ b/test/results/imap.pcap.out @@ -5,7 +5,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1213095262213846,"flow_dst_last_pkt_time":1213095262213972,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1213095262213972,"pkt":"ABUXJM1lAASWJ8g6CABFAAA8VURAAH8GiyQKKAMCCigEAgCPs903+0YNiGqqZqASIAAxdQAAAgQFtAEDAwgEAggKAoc1IAoMNC0="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1213095262213996,"flow_dst_last_pkt_time":1213095262213972,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1213095262213996,"pkt":"AASWJ8g6ABUXJM1lCABFAAA0nklAAEAGgScKKAQCCigDArPdAI+IaqpmN\/tGDoAQAC6AFAAAAQEICgoMNC0ChzUg"} 01025{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":4,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266594138,"flow_dst_last_pkt_time":1213095262264097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":26,"flow_dst_max_l4_payload_len":65,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":1213095266594138,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email","imap": {"user":"samir","password":"pfres","auth_failed":0}}} -01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780228,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780369,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":88,"flow_avg":101044616.0,"flow_max":3224294854,"flow_stddev":560953216.0,"c_to_s_min":88,"c_to_s_avg":169940064.0,"c_to_s_max":3224294854,"c_to_s_stddev":719918976.0,"s_to_c_min":126,"s_to_c_avg":351271.0,"s_to_c_max":4331408,"s_to_c_stddev":1149077.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":75.8,"c_to_s_max":139,"c_to_s_stddev":17.5,"s_to_c_min":74,"s_to_c_avg":174.4,"s_to_c_max":762,"s_to_c_stddev":181.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}} +01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780228,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780369,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":88,"flow_avg":294609.8,"flow_max":4331408,"flow_stddev":1060070.4,"c_to_s_min":88,"c_to_s_avg":253687.9,"c_to_s_max":4330018,"c_to_s_stddev":988809.7,"s_to_c_min":126,"s_to_c_avg":351271.0,"s_to_c_max":4331408,"s_to_c_stddev":1149077.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":75.8,"c_to_s_max":139,"c_to_s_stddev":17.5,"s_to_c_min":74,"s_to_c_avg":174.4,"s_to_c_max":762,"s_to_c_stddev":181.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}} 01009{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780387,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780387,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":1580,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1213095266780387} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121469/121469 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1467 chars -~~ json string avg len.......: 933 chars +~~ json string max len.......: 1450 chars +~~ json string avg len.......: 926 chars diff --git a/test/results/imo.pcap.out b/test/results/imo.pcap.out index f17c51c36..602106aab 100644 --- a/test/results/imo.pcap.out +++ b/test/results/imo.pcap.out @@ -10,8 +10,8 @@ 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1646579366870607,"flow_dst_last_pkt_time":1646579366906814,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":43,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":43,"pkt_l4_len":9,"thread_ts_usec":1646579366906814,"pkt":"mt9Y+uvcCL6sCxduCABFAAAd07xAADYRF2ddIS86wKgMqeEEwDcACY7ydg=="} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1646579366870607,"flow_dst_last_pkt_time":1646579366927729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1646579366927729,"pkt":"mt9Y+uvcCL6sCxduCABFAACH071AADYRFvxdIS86wKgMqeEEwDcAc11kag0AAJobOdZhqhsqD3t\/ZsLZznm6P+VojS4Ym286bkA4KafGXg3iLF\/wjB8hr6WLuR7MT5lbl5UGnsPZptwcvPKKbJmOyY4TOPC9kAo6L6kDDYE4iSyFwPlyWfdtSAheyL2rRrc\/cATh7Qs="} 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579366939802,"flow_dst_last_pkt_time":1646579366927729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":10,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":11,"flow_dst_tot_l4_payload_len":108,"midstream":0,"thread_ts_usec":1646579366939802,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01326{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":62,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579367998159,"flow_dst_last_pkt_time":1646579367589404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":241,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1646579367998159,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":58121.3,"flow_max":463846,"flow_stddev":118788.2,"c_to_s_min":89,"c_to_s_avg":71317.8,"c_to_s_max":463846,"c_to_s_stddev":140812.8,"s_to_c_min":22,"s_to_c_avg":44924.8,"s_to_c_max":379036,"s_to_c_stddev":89692.4},"pktlen": {"c_to_s_min":43,"c_to_s_avg":57.1,"c_to_s_max":142,"c_to_s_stddev":22.0,"s_to_c_min":43,"s_to_c_avg":56.9,"s_to_c_max":149,"s_to_c_stddev":24.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579368878172,"flow_dst_last_pkt_time":1646579368918568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":11806,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1646579368918568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":18090860.0,"flow_max":574615269,"flow_stddev":99955184.0,"c_to_s_min":275,"c_to_s_avg":33925952.0,"c_to_s_max":574615269,"c_to_s_stddev":135172640.0,"s_to_c_min":24,"s_to_c_avg":144421.5,"s_to_c_max":1002553,"s_to_c_stddev":311646.2},"pktlen": {"c_to_s_min":224,"c_to_s_avg":736.5,"c_to_s_max":1266,"c_to_s_stddev":500.8,"s_to_c_min":52,"s_to_c_avg":90.0,"s_to_c_max":266,"s_to_c_stddev":60.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01326{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":62,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579367998159,"flow_dst_last_pkt_time":1646579367589404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":241,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1646579367998159,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":59559.6,"flow_max":463846,"flow_stddev":120414.4,"c_to_s_min":89,"c_to_s_avg":75170.1,"c_to_s_max":463846,"c_to_s_stddev":144612.2,"s_to_c_min":22,"s_to_c_avg":44924.8,"s_to_c_max":379036,"s_to_c_stddev":89692.4},"pktlen": {"c_to_s_min":43,"c_to_s_avg":57.1,"c_to_s_max":142,"c_to_s_stddev":22.0,"s_to_c_min":43,"s_to_c_avg":56.9,"s_to_c_max":149,"s_to_c_stddev":24.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579368878172,"flow_dst_last_pkt_time":1646579368918568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":11806,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1646579368918568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":138459.7,"flow_max":1002796,"flow_stddev":305661.1,"c_to_s_min":275,"c_to_s_avg":132870.4,"c_to_s_max":1002796,"c_to_s_stddev":299834.1,"s_to_c_min":24,"s_to_c_avg":144421.5,"s_to_c_max":1002553,"s_to_c_stddev":311646.2},"pktlen": {"c_to_s_min":224,"c_to_s_avg":736.5,"c_to_s_max":1266,"c_to_s_stddev":500.8,"s_to_c_min":52,"s_to_c_avg":90.0,"s_to_c_max":266,"s_to_c_stddev":60.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00908{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":37,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579370069590,"flow_dst_last_pkt_time":1646579370091576,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1052,"flow_dst_max_l4_payload_len":1039,"flow_src_tot_l4_payload_len":6713,"flow_dst_tot_l4_payload_len":11506,"midstream":0,"thread_ts_usec":1646579370091576,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00911{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579369944784,"flow_dst_last_pkt_time":1646579369921382,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":12230,"flow_dst_tot_l4_payload_len":731,"midstream":0,"thread_ts_usec":1646579370091576,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00559{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":31180,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1646579370091576} @@ -28,5 +28,5 @@ ~~ total allocations/frees...: 121544/121544 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1364 chars -~~ json string avg len.......: 911 chars +~~ json string max len.......: 1351 chars +~~ json string avg len.......: 905 chars diff --git a/test/results/instagram.pcap.out b/test/results/instagram.pcap.out index bd743a2a4..d6de69c6f 100644 --- a/test/results/instagram.pcap.out +++ b/test/results/instagram.pcap.out @@ -11,7 +11,7 @@ 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898499269,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720898501130,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01358{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1436720898386781,"flow_dst_last_pkt_time":1436720898551576,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":679,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":679,"pkt_l4_len":645,"thread_ts_usec":1436720898551576,"pkt":"QPMIw47hABsv8H60CABFAAKZ5iRAAFUG\/+kfDV00wKgAZwG7hJCk1JOYiMGTh4AYAE6DfwAAAQEIClpSq5UAA+qLFwMBAmB3TNLiDxMdaG\/77FJR8O6B7ETM5PL1YEwRicjM0iP0UHaAjwUM69tZJRboKPSJSylQ1372woiRMUoGT0dkqivXwS77nykGpDpQxH2zG\/qLmXj10Apbm9mNJzojbuGkVAQeXciVaLovJfxV8pe4ApuOMtqX+wzNa0ZzIxrRfdGy1r+REoc96\/duttzeccU7r8F+0sSj4kAMBptpjPxHIWmQ8bvcQmsOZTBbtWqbInBydwnOzZKHuUG4UpWsNoKQLrxSa1ETAsjugoyEe5PPT8+cb8Irh4mKsNfbStX5KDjpe9Dme8aKUCL1ceYHHjALeMY9l4fx2o0KIF6TukGkzvqR8cZ+qcyDG5U\/HYh5lxYTcHS7lDXS1PzV6XOR41h1cZ9L+KxXE6JczRHCSiNT1VF7boI4Qizj5lEdfdajhSQHOEg16UAhsZHpgK1G5Iki1ek6rdWyUqwchJMZYUThaRdJpKv9RM0OW9cAtKW4cZKenq0TEdOPDEBRCwskRboA6Gi3YnhJ3qdvDGkTLGo9t+FpkGczAZZn4gKC4xoEybQb10OFqFb4BP0BHlc1dmzqbYjWeEKW2wJjaNEaqdUvlusDaKzJPAfd\/FC3qcdqBy6RoP1rw6AWfXgFirXb5SF1IsZGaICO7Vi\/A05NBIj2TN+sAkrMTvlnJxzijI3OS4z\/O7pdS0yJ1AhdM2CbNqiTSP1\/fSWG2i895LYIERx7TAiABxyhh9ufac6WLn1D9wJV86snpuHfJEPWipx7pSJs20IjfVBIUe\/onrcoOjL6GotP95FotxVNOdpbLqczmpv1mQ=="} 01235{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898646669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1436720898646669,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"acb741bcdffb787c5a52654c78645bdf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}} -01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":61,"flow_avg":87577832.0,"flow_max":2798266957,"flow_stddev":486854272.0,"c_to_s_min":61,"c_to_s_avg":175023680.0,"c_to_s_max":2798266957,"c_to_s_stddev":677318592.0,"s_to_c_min":61,"s_to_c_avg":131988.6,"s_to_c_max":1572479,"s_to_c_stddev":381143.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":213.6,"c_to_s_max":1431,"c_to_s_stddev":396.0,"s_to_c_min":66,"s_to_c_avg":1151.3,"s_to_c_max":1464,"s_to_c_stddev":534.1}}} +01208{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":61,"flow_avg":136248.2,"flow_max":1572479,"flow_stddev":382122.6,"c_to_s_min":61,"c_to_s_avg":140791.9,"c_to_s_max":1522736,"c_to_s_stddev":383112.2,"s_to_c_min":61,"s_to_c_avg":131988.6,"s_to_c_max":1572479,"s_to_c_stddev":381143.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":213.6,"c_to_s_max":1431,"c_to_s_stddev":396.0,"s_to_c_min":66,"s_to_c_avg":1151.3,"s_to_c_max":1464,"s_to_c_stddev":534.1}}} 00893{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900684083,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00878{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":326,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":326,"pkt_l4_len":292,"thread_ts_usec":1436720900684083,"pkt":"ABsv8H60QPMIw47hCABFAAE4wXBAAEAGQn\/AqABnLiFGoJegAFCP9SVkp0jV34AYH+olJAAAAQEICgAD63Ga3vWjR0VUIC9ocGhvdG9zLWFrLXhhcDEvdDUxLjI4ODUtMTUvZTM1LzEwODU5OTk0XzEwMDk0MzM3OTI0MzQ0NDdfMTYyNzY0NjA2Ml9uLmpwZz9zZT03IEhUVFAvMS4xDQpIb3N0OiBwaG90b3MtaC5hay5pbnN0YWdyYW0uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBJbnN0YWdyYW0gNy4xLjEgQW5kcm9pZCAoMTkvNC40LjI7IDQ4MGRwaTsgMTA4MHgxOTIwOyBzYW1zdW5nOyBHVC1JOTUwNTsgamZsdGU7IHFjb207IGl0X0lUKQ0KDQo="} @@ -27,10 +27,10 @@ 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900692262,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900692262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":259,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":259,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900692262,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.185","src_port":57965,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-f.ak.instagram.com","http": {"url":"photos-f.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11424623_1608163109450421_663315883_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} 02436{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900716768,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900716768,"pkt":"QPMIw47hABsv8H60CABFAAW+uH1AADkGTewuIUagwKgAZwBQl6CnSNXfj\/UmaIAQAiku5gAAAQEICprfPdsAA+txSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBTYXQsIDExIEp1bCAyMDE1IDE2OjU3OjA4IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTUwMDMxDQpDYWNoZS1Db250cm9sOiBuby10cmFuc2Zvcm0sIG1heC1hZ2U9MTIwOTYwMA0KRXhwaXJlczogU3VuLCAyNiBKdWwgMjAxNSAxNzowODoyMCBHTVQNCkRhdGU6IFN1biwgMTIgSnVsIDIwMTUgMTc6MDg6MjAgR01UDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AfFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABfHAIoAFpGQk1EMjMwMDA5NjkwMTAwMDBjMzQ3MDAwMDEzNjQwMDAwNjM4NDAwMDA4MzJiMDEwMDBiODUwMTAwODdkZjAxMDAwZDRhMDIwMDlkYTIwMjAwNzY3MzAzMDAA\/9sAQwAGBgYGBgYLBgYLEAsLCxAVEBAQEBUbFRUVFRUbIBsbGxsbGyAgICAgICAgJycnJycnLS0tLS0zMzMzMzMzMzMz\/9sAQwEICAgNDA0WDAwWNSQeJDU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1\/8IAEQgEDwQPAwEiAAIRAQMRAf\/EABwAAAEFAQEBAAAAAAAAAAAAAAUBAgMEBgAHCP\/EABoBAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb\/2gAMAwEAAhADEAAAANnYrv6OWePnpwvl4Ucr5ZqutmsxzGNFZbBKECWI2oX8gp+rqOdscgJarTJrPTiAtUZEnHz0qOljcEskD1c01Rksi2ko7C10FaSJqLDY0bkkglRK+J01IqIm99eIL6jmheWgjCKVJUTsjcmxJXNVG3K1KNr3irtvMCithKVbraoq9cQKb5mse+vydpRzhEXinDIvFyoIspSDsdW4LfVORbSFGS9z0Q07Vapihe24SRFCV8D5p7U4fInJNSacY9CnDoLekTpOusTppdQVRUWk5Z3S6nSOaiisOZWrWqtSjFjqVjcxzA+ktxbdV5FmYfOO1PR5O6tOVN6dGCvruavqOenPG2AT0hWptvhfNzvglTijkaS2WB9FlYElvdXcE7qNkc6sYnO6nwWWwvB6cwHJ3BI+Pk7LqzU7SQPCRiRBzWw1M8o9Wr7h8yd2Yes0RUdMne6nInZbXUcjq0gpefEOw6FZdhsSpo1\/NNSRGRwz8KussbUKdHc9LXYK7JQkHbZE9CMRrLHVuCy6tIhIp+ajbOxDZOaN8kM6b52TRosiOmpWqktXN4fR9WcyxQQ3Mi1m1NxKzxO57gjldCOau1Guh6KocxG0s90jNuePlRqSaiqL7xrhlZBD1ROCogrq0VC86jwXI66CmfUcy84e5MlIKemSZRcnZWo5lqOCIVpafMuyjnIKtHOmrjanNWmV0at9VUdlavIty0UHfcNVBHhvASbQRlyCBWndG1xZlpvVXVpuTtPpPHelHPmiqjZJuxJVci8tKRVa6m0Lsg1QJNocO+lKMV1BqVN+Km1zbjrI1P1ZzUr6iNEZRL5ZRw56q6yDgmfWQLsg16ZNg3hkHi+ETQdInbdS4duCJorHU42r7hqMKoMQCnCeAuojkF0F8BRBzhkEpcFpK6im5sQ5GRJU57qi78tptbhTpBzLHQKE7qrwsdX4LS1+Ts9Uc1YWugWOruCfoFCwtRydla3CsLCo7DIlTl6FQm6BQnWuoT9DwSpCoS9DwTdA4JVrqE\/QKOx0ChM6u5EjoeCVY+ZIiIA="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900717195,"flow_dst_last_pkt_time":1436720900716768,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720900717195,"pkt":"ABsv8H60QPMIw47hCABFAAA0wXFAAEAGQ4LAqABnLiFGoJegAFCP9SZop0jbaYAQH+o19wAAAQEICgAD63Sa3z3b"} -01347{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900734468,"flow_dst_last_pkt_time":1436720900734651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":36868,"midstream":1,"thread_ts_usec":1436720900734651,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":7103.0,"flow_max":126342,"flow_stddev":22825.4,"c_to_s_min":305,"c_to_s_avg":29454.5,"c_to_s_max":126342,"c_to_s_stddev":44709.6,"s_to_c_min":30,"s_to_c_avg":1944.9,"s_to_c_max":32685,"s_to_c_stddev":6167.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":109.3,"c_to_s_max":326,"c_to_s_stddev":96.9,"s_to_c_min":1484,"s_to_c_avg":1484.0,"s_to_c_max":1484,"s_to_c_stddev":0.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900734468,"flow_dst_last_pkt_time":1436720900734651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":36868,"midstream":1,"thread_ts_usec":1436720900734651,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":3256.5,"flow_max":33112,"flow_stddev":8022.9,"c_to_s_min":305,"c_to_s_avg":10077.0,"c_to_s_max":33112,"c_to_s_stddev":12075.5,"s_to_c_min":30,"s_to_c_avg":1944.9,"s_to_c_max":32685,"s_to_c_stddev":6167.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":109.3,"c_to_s_max":326,"c_to_s_stddev":96.9,"s_to_c_min":1484,"s_to_c_avg":1484.0,"s_to_c_max":1484,"s_to_c_stddev":0.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 02434{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900687959,"flow_dst_last_pkt_time":1436720900744752,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900744752,"pkt":"QPMIw47hABsv8H60CABFAAW+u1hAADkGUttSVRqiwKgAZwBQ4lApkhzMOpIM7IAQAku18QAAAQEIClYLL1sAA+txSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBTYXQsIDExIEp1bCAyMDE1IDE2OjMyOjE3IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTEyMjY4DQpEYXRlOiBTdW4sIDEyIEp1bCAyMDE1IDE3OjA4OjIwIEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0xMjA5NjAwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AbFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABPHAIoAEpGQk1EMGYwMDA3NWIwMTAwMDBjZDFlMDAwMDUxNmQwMDAwYTY3YjAwMDBkMzhhMDAwMDQ3MTMwMTAwZDU4MDAxMDA4Y2I2MDEwMAD\/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT\/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT\/wgARCAKAAoADASIAAhEBAxEB\/8QAHQAAAAYDAQAAAAAAAAAAAAAAAAECAwUGBAcICf\/EABsBAAIDAQEBAAAAAAAAAAAAAAABAgMEBQYH\/9oADAMBAAIQAxAAAADRJrP1fOIlpAgZgklAaSWREiWQ0hYBBKMG1GQ0mshINSQNKwDZqISVGBpCiEDBAlSiBIUY0GoAhRgEhRMIlm0hLpRTallISS1AgnEASgbEmowbUamIMzBKgaCCgBEs2NLM2INRiSFhiApTEksNJDhobBqHjA10yQHEiSSgCQoARGYJBhCQZgklkCTCgQThDSSzabMzAkuECSUY0gwJJmbEGogIGpiCWaEBSgbNRAk1hiCcJCDUGkGshpCjEkKVJthagbCzEgKMEmYAjNQICzaaWoAhZmxAUYIUZySQsAQcITZqJSxlGVMgDAJCwCUrCEBQYgwoEBQQkzAJBmxKXSBBmbEAGggowSlYBIcQJKloYRrJCQtLEmsASVhiA4kRGYGQUQkk4AQsEwgswbNZNESw2kzUk2awBJdKQg1KQ2ow0ROkNBOpEk1BhBZtEDMASgCCdCMMwuixAcIEBYE2HEjbNYBBOkNAUoSCWTaTCiKSWBthwkkBZAQUGINwDaCjkkhZobDgBCXDE0pYbQThobDiXEicJjalhNIMCSayBCjAEa0ySQ4QJNQYkzMCJYBBrMEEpQIDokIJwkIUoMSToBClAEGtQkEs0YClHRYk1pBIMwbNQYgnSYgLIEBwkICyYhS0tJCxFthwmkKMASVmhAWbEE4TSQsgIGpNBLIRBQaQayBJOAEBwMQFpAkukCQsAg1kwjMMCVgRGahtk4ASFmDYdSCQtbGjUbRJdAkBZDILMTalGxBqU0hLiYmGDXVNCjMaUrANmsIQlZttqUY2w4RFAcShClECQoCSlwmETgBsKNMgZsSTpAgKSIlGYICyESVkBBYBBqJog4E0E4TEB0gQHA00FqGlLhuKTNQINQJJJZgg1KY2ZpImFGNJLDSTWQIWFASXDBBg5BGoAgOEGEajpmg1hCCcIEEswQl5DSTM00EswQFATalGCCUYJJRg2oGCQsxoSswQow0lLgQhSgCDUGkBYEkOEDYdAIJZgk1ESQpQcUhRsSFGCQZgklgEmZg2pZyEBZgglmMiWQkhRgkOBoicSMiWbSDWGJNQBJOAMAKVVMgYiIUahNE4Y2wsNICwNCXUCIlmDRuGk2S1NsLUYIJwRbZrDSAo00GsmINQEkk="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900745027,"flow_dst_last_pkt_time":1436720900744752,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720900745027,"pkt":"ABsv8H60QPMIw47hCABFAAA00CZAAEAGPJfAqABnUlUaouJQAFA6kgzsKZIiVoAQH3QuLQAAAQEICgAD63dWCy9b"} -01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":161,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900687959,"flow_src_last_pkt_time":1436720900865663,"flow_dst_last_pkt_time":1436720900865785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":253,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":253,"flow_dst_tot_l4_payload_len":22769,"midstream":1,"thread_ts_usec":1436720900865785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":57936,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":15179.6,"flow_max":130218,"flow_stddev":35814.9,"c_to_s_min":336,"c_to_s_avg":20528.1,"c_to_s_max":130218,"c_to_s_stddev":41981.7,"s_to_c_min":30,"s_to_c_avg":10460.4,"s_to_c_max":111480,"s_to_c_stddev":28493.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":82.9,"c_to_s_max":319,"c_to_s_stddev":63.1,"s_to_c_min":186,"s_to_c_avg":1405.4,"s_to_c_max":1484,"s_to_c_stddev":305.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":161,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900687959,"flow_src_last_pkt_time":1436720900865663,"flow_dst_last_pkt_time":1436720900865785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":253,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":253,"flow_dst_tot_l4_payload_len":22769,"midstream":1,"thread_ts_usec":1436720900865785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":57936,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":11468.7,"flow_max":111969,"flow_stddev":29722.3,"c_to_s_min":336,"c_to_s_avg":12693.1,"c_to_s_max":111969,"c_to_s_stddev":31105.4,"s_to_c_min":30,"s_to_c_avg":10460.4,"s_to_c_max":111480,"s_to_c_stddev":28493.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":82.9,"c_to_s_max":319,"c_to_s_stddev":63.1,"s_to_c_min":186,"s_to_c_avg":1405.4,"s_to_c_max":1484,"s_to_c_stddev":305.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 02425{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":179,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900872835,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900872835,"pkt":"QPMIw47hABsv8H60CABFAAW+QeVAADkGzDdSVRq5wKgAZwBQ4m1aOHmGBPBEEYAQAktTqQAAAQEIClnq0tYAA+t6pEVxjNbEsTo05BJiqWC+y9Cm00IuBsqQ3OjXYmls3ooNNijoaA4JvaGXA6WBNFUSNxldWicRkqfSvQ+ysT9n0voZ+EyJR6Oy8JFg5mjiK3jhnpErGpjhG8skeRODdCdQ2MDy8miGRvQk1oSZFhVmGQ28jcag3sVEigomNJgo2R5DYnSdEiIuyPaJg2JvQlTQl7HH2PCFhjS9CYo0RCdlSaY2qVbA7SVlukMk60Nrou0FvVb7YyZLsTJUNNjXYcKjL2NNBHY6YRIqyEsm+g1byhIVtLCoTuULeROaIZSg30H1KXibE4I6MNQaNsuwl6EmkRW2hNPKHVGvY2h4LXCptXgsREUx4KkzYc6itsZrGceuCUwiNvZ0NlpU4bHVgOMeBQT+hXsW4NkxniYRKY0LOGPOuJ3wxvNY30XInTbyUHSrYx3BbGhCWhOLAjiZyQZFUJdjY3cIt4ZOkJvIlCy+hRiRG+RuPBllCy6VrIsIWMN5wEbUZGNRwXYxYMsCZvBM0SI+CRpDbsamyBbROyZoo8CJEl6E9mJ2S8EM3LEKN5FGYSlBs8UdkxmA2mpRC0zPZ7xJ9CwL8H7GJMEIRrTFqwKrYnyiJkSFrOodENU0wTGWNK2jlI9lfZlilokuhJLsxJCYIN4hejdRoOrIspMTJA01hjZUKPFINeESqCUMEQXvhWETJONsmi4g1wbPQfoNvgSpYMGCvY9YNIqvA3SQSmRLI4YPo2XNMYImYP1DY4jPgTTw2RtDTZj2bUhs0VbI6JdDjHkaG0not6KSwmmsQgk2Q2d8EY0NThbnDb6LikplbG2dZcC3WN4yZoyEhYNBej0BWx7I90tpJlyN42ZDbInnJ1C1j9i4ezDdGzUCRBRluhyJbIYWhtD6NOhqmcKFroh5EphFtxoj0LHA27N4EuzbHNiablHlZGpBOsMNmxNFXQsIyISmhtLI00bJ7F+j1S+jDRaWi3vmNnZe2dMzFsHjJciezaGpgnsUwLB9OsnZ3niE9jVXaWBDK2XAvaENk6N0ekQ2O9mkVid2JeCeikitCaY2qSMSexWxPhK4FBtCR+iXk7ssgLA2L0SCdTorMmVWF2XC0NTE0Jx1GuCltCJQTg1LLSyaM2UJLoSF6DFF9Mw9kaL7IKmI4MmxmzPiZWtisp9MNxiCdRNs2PYXFI7EHTI1SpITxUMwngXpkyZLmoTeRzsWCnZ+DfRVtifokzCxuYoykLQuIaLckmHw90WsHeOLnJ84eDeStIr0XApBloXsSFOuGxPJSo9D4JV5INNsaqEnFWmLKwNNiDhZETR+8N0hPQnDfQ9jUeRJC3L2abSUYrSyXKQvTLUJ0TMDXTG22NpLA+h7pbgbPbEFhURZQjQj9GNi+DZGcFGLsjYTTQlYRp28M2yQyxotDecoU0R2IEl2iJYG4illoT0E0yNMauOGKUSPA0mRrZpNHQ9mUtCe8LiDqwZ6FGTD0YCawPKG6VPR1B6om0oVtJszsT2oPLg1iChibE3sd6Emqj9QlcmEXhv0J3fFLW0UaJbG7obENhs2LInSGhYWLA09oR2MwU2WaOiiYyFETeCZiGhtrYmeGRtwUYEs5HJsYE8FFhHQyA82YMmWhvJ+luERPJpCaXRrgavgriCd7HBcZJXUMHg9aNwpE0U5guCZyNlQ8sSjo1kSMsTUUFRQbOhYwhtnKP6SOXI1R12JOnuIeq2VMpZgm+hdg0iYglGUXsWqM1gbLTRccdQh6Ku0exnodIIyzBObLeyzRbgl2MPIvcF+DTaqR8HaG7s1kuabRjJ0TpPR2VPJV7KLKyJPRF0V2DRrKEZhaNsjpZo9uNoKHwaJdi0JwbUojVhqtMTJ4I0NdDcP0bBkIaxSOjsCQm08MyRGoPKyP2uPoVQ="} 02431{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900873323,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900873323,"pkt":"QPMIw47hABsv8H60CABFAAW+QeZAADkGzDZSVRq5wKgAZwBQ4m1aOH8QBPBEEYAQAktstgAAAQEIClnq0tgAA+t6yOoxEtjJYMe0j6G03geIuahaK1oTHsEliMMTZ8IV3w+jNLnJcKpRQYoNH0Q1owU7ElIg1BvY00M1sKh00GrYYaKmxapIfSuhKlliV5Ggz2ZEdUXqEuURYhcRmGdF6HkVYKkoGKmh3bGvRvDFLCRD9sysMedkSiftieCrscIysGDeGZuR52JNFJwy1gdIqmuE8SC43k2NNmXvnK0LZ7Q9kdYKlspkg9CZoqhXWJtbKpgafXBrJWhOsqdlcjGlMIf02UEyYUEoN\/R3BPJjY2bCG2s0iEvRRNQ+jO4xqKDwyI0ohahosjThi9BIrI7gehuDWUCCJLBXotaGI3Qlg0wJ4IVBKoTow2PA\/UqeR2ILqdQ62OGMraO4hekPhuNoceBSE3cCJmskaK+hP2IZK1kxs+D0NwaUQbYMYurNlQeMoTLYsrBUslTyTGB4bJjIpUh1Csyxlol2o3gucCaI7VzLkaJHRLOOI9DqwQy9GXvictCZRvBROF7M75lwMNqMbA1Q7yIm8GJWsFybGm8jbOi8hKnkr2M2jAtIEustYo61E\/YmmP6L0b3whJbGvRDYcGUzATfFIDVQIw2Oobux01kTo0N6FINdmGBYdKOUophoRJtodkbFVo9gsdiVGqholRuBaWjGKEmDKSSFXnjQZrsSagmHGQ2V6YSOqJlWjZkzB3BjS9mOWLBMSDwqGspicFTSY2vRnKTsOEJT6izJU3UzZMYLFNbFHhcKrhEElmjUHgsGw3eFliqL7LktKtGhuCzshGkdcMxokwNDSEy0x5WRazwkNsaY8bLNjG6JXCGsDRGmNiieYQKFSLNMh9GJBBqDcYmQ\/TLYs4Y5okeCCq6KrROsWRPA\/QgqexNDwJeyORUtLVhijncHacZgTImKglDuKPKPiNMVuBBPFGsVisByZlsa7HsdRZxjrKIyEiLkwMS2JuxPlJTJB8H6bZlkrSN1n4byX0J4EzWxRB5yNNiRbIpUIU6KJCXaHjR8G5KJ9CS9nWBuYG8YG6i9HshCfoTL7I9i9svs2S0igzvAmIqQvhrDHLkQf6KrgpKCatLEWjeRJbOsDeINKDg0ui5F0zaibWWN0bpi9BWZoEHKMpILVMCwVlji1gwwlSnhCVWC+iHqDPofxpWqTM0eNJ2xqh8YRjmCGxosC24xO6HlDsYiabHsVY3Q2j8FwXDnhHTop2I0ZBKKmqh+g1MksMLJUzHQ4tCWBioqFxpAlEhOSDo8Dagmn2S4NI9pDj9P0qphlFmxt9ob7Q4fDeWdIS9mSomrgesCHk9xVyISbeBYZYqOnkRY6Qi+xNoTGi3wtcJ8IdEGuiiJs+CUCzHWBIwyehKjUWCjSYQ2xehJQkV4bmCDSE3ajpBI9MbbKsnYhMqSE6SoSmxVZQz7F7Cxw52a0Oi4wa6G80SyNISCZNs1kTWjAjbEjBSIX0JgVNEej4YLk6FUNkLSpOMieS4G8EdEeg2KpGUxUsEchDaYw1FYKjISLZtH5xdj6MjnZrR0KQaPJCYqtCpZNBN3Ym8GJNCRoeRqPAyVRi2Jvp8EoJ4hRsvRtEZTjFNsRZ6Lg1GM+iyL6KpBqRssXcg5w2Ui1l6HGqjFFnaPpYhNtEfI6Fk9p+jWy+h1jWBucKo6btHQ1cIbLY6jKwI1kTtCe6OF7GyQ+luTvB+OCeRZE8Cjzw\/QQ2lsbbGNL0REErSTiKuDRksFTw2JZIJTbY1oaZGzXwTzsbdEiLmog0Ji7YqmN+hroiag0PQeUVDI9mcQw6G101ZROVMQtGQ7eH6WaIbNDwsDsK10NpNDbcMrspisEOJISYYqTRU0RDqgVWGQxaXIsvmpFmWPDA8JDDqHRSQsC9DYnnBYhpbF9KmJvaYk7Ktm8jfrhZcJnL5r4twNjbk="} 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1436720900692262,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900873323,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":259,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":259,"flow_dst_tot_l4_payload_len":2836,"midstream":1,"thread_ts_usec":1436720900873323,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.185","src_port":57965,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-f.ak.instagram.com","http": {"url":"photos-f.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11424623_1608163109450421_663315883_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} @@ -41,7 +41,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1436720901182283,"flow_dst_last_pkt_time":1436720901182283,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720901182283,"pkt":"ABsv8H60QPMIw47hCABFAAA0W\/BAAEAGs3DAqABnTUMdEYS4AFDrYaSj8+woZ4AQH+origAAAQEICgAD66NkobAz"} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":203,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1436720901182466,"flow_dst_last_pkt_time":1436720901182283,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720901182466,"pkt":"ABsv8H60QPMIw47hCABFAAA0W\/FAAEAGs2\/AqABnTUMdEYS4AFDrYaSj8+wze4AQH+origAAAQEICgAD66NkobA0"} 02444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":204,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1436720901182466,"flow_dst_last_pkt_time":1436720901183137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720901183137,"pkt":"QPMIw47hABsv8H60CABFAAW+nH9AADkGdFdNQx0RwKgAZwBQhLjz7DN762Gko4AQAq9DyQAAAQEICmShsDQAA+ufWEdJBRPnaSmosKHYDmQEyGHV3GAwTrGe5kQxyGEYyxmyELBrJc+SMi3dmmwq1mAYjd9asgZG6SWIbmuecSeibLvJUKPOw0JlNLd+SsFoR4AyWWZMuWzjy22t8lg9nL1yby0j7G5yGHP2UfvrthqhUQLZPhRPRii5ZImLbbxtBh75Nwi10QstpiiOURwgsk\/gse0fhODW3xEaIlCTuwGMxEsajO6KBwgVZE4oD8EZJ8CUI+IftidbAnEAzCB+CxiXeSUkT7I4PLvoy1NnMNCUuGI63ybZNQBpkMtmgmFlmfthxhK9DguCw4XPNprshLbUVoAbHdBaG0WibQPaUDoawN0QnEMFu5OOsEXu+c3ydgozRy0R9FbV0F8hsoSyHLIicGyGMakQqAYSTks8J\/2+\/kORfizOWuAtMcMCSaUPfEY6f\/ttodWXWPLX7bzs5o8i2FH5IZ4wLEpEOhwV2MADYJIWDBmF9CQdn6hh1kzmvWM7b4SuFg+iI0QmrTgRgMl\/rAMZDtwdyKQyk+DPksJTgtrhZZRA\/GY+X2oyKfiboDY0NouOzUthrGCw4ToWxqMKM+rf1sDDAEsjSzJB7rCfcDOwibANVH23SwWhh5rFCY04ksXdhurOKpIBQXzCwN2yHF8S1j2hc2z0kMsCW+OeS+e5HaaRoyzZaCzPNrgnwkhY7i8yZQkeMkH4woSzgHZw7AMoJTs5nD21BiRDuFCBqB4lGX+kk55UTfE62aMJ9jBPBhqltnyYDTEarQKEsWGbVjV7cRHRc\/JgmbZkQlW0YI\/xZdFg6wN2R+J3fOBbBmIcOvB5bIKiWTEFFXRESk7pA\/G3UwXXKB8XDGTJIAkPv49GZuMRZBkC+FhZzCzZ\/iYJh8LIJjV10uzY7Q6E8RpFbyee3Ru25UC5ETbDsFPCaR1ZZC+Qlrsu3Z2QOnm5Ijct96wHLCiQoCUx5CFCGTynRCNjadMyB8tlLRKCwv7KX++dvy1I4Ngs+X8bALTsRQ81XIDydJihBYicmO+O5EykyOu25b+jIYCOXX2WfISuvyX8JiI2GJxqYZEg+OZPoDhxBrn8TYtguClNRehGIQDtqZcwjb\/V86w0sQMOHMZzpnYBjpA8i2eJoGlmik3CQHHMRm8DxLkyFvCZWDFGTUEVI6mHEnfCoaSoN+\/pJIKAlCT4XxDOVC6F8g19jfq1eEJAj0k3u3yFtEJC0DXJolurtJkzJ6y5KHJWSGujZ7ucFS0YjpIoSX0blPAySPJvg33fP2OLma7cQ\/o6PyUHgctick8cobWRNWzIJG3koi8vkKbBIHEMIhdatBUZ40kmN4wtVBz4xoAKljf4v6tXAUt\/sabl0bLkuRE5KikyGgBCbojsrcdwSEGEBomIUFpEl4TvPOqQ8EQF08if3O9FnhnUw2jwQHpaPsw+3EzgNs0zWy6OB623FWGwH7yRctwfDWnw6uSz7AvbHpmHBs+lzanaBkBBq2DLF24dyAfJ1fyW2F8GD9sWLVnjCGZF3EsLst8bQIxxKOwYkoOS2WRsw0xVMJlnywe3Dcc8w+9gQNiBfxyDpYA\/BXzFgEQ3SDtI\/Iov2XBZk1lmPY59tj\/SH+23V5dy\/iiOkLW8UdeiSozNTMFJIdoa309Kn34h+DTnlxZPJVqKRj7du3Uk37CetFC6vFxS2151HHC6aWXemK7B3BpAILjJ\/RL8v0ZA5dOz14w3bAaJWBEg+oUMkesS4WzNnMtGFzWDqZOmcWARMZvW5QUXehDRGok1aYS2VUwcI4nRFkmR4HYk3YsQQ7hbSjts4wBuESi5cIWAPkICk+lgVslThZsIux2ZS+mHik4DwoYI7IF8QlYXTsSiw2By7i5s7AeQhpAzljeQfkQaQPQMK5P3IVCAQHZWMgI="} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":255,"source":"instagram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900690339,"flow_src_last_pkt_time":1436720901257356,"flow_dst_last_pkt_time":1436720901259248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":518,"flow_dst_tot_l4_payload_len":24096,"midstream":1,"thread_ts_usec":1436720901259248,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.186","src_port":44379,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":61,"flow_avg":39641.4,"flow_max":372071,"flow_stddev":92697.2,"c_to_s_min":61,"c_to_s_avg":46641.0,"c_to_s_max":310272,"c_to_s_stddev":89356.6,"s_to_c_min":61,"s_to_c_avg":33465.2,"s_to_c_max":372071,"s_to_c_stddev":95121.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":111.7,"c_to_s_max":325,"c_to_s_stddev":84.7,"s_to_c_min":1474,"s_to_c_avg":1483.4,"s_to_c_max":1484,"s_to_c_stddev":2.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":255,"source":"instagram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900690339,"flow_src_last_pkt_time":1436720901257356,"flow_dst_last_pkt_time":1436720901259248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":518,"flow_dst_tot_l4_payload_len":24096,"midstream":1,"thread_ts_usec":1436720901259248,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.186","src_port":44379,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":61,"flow_avg":36642.8,"flow_max":372071,"flow_stddev":92640.3,"c_to_s_min":61,"c_to_s_avg":40501.2,"c_to_s_max":310272,"c_to_s_stddev":89383.9,"s_to_c_min":61,"s_to_c_avg":33465.2,"s_to_c_max":372071,"s_to_c_stddev":95121.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":111.7,"c_to_s_max":325,"c_to_s_stddev":84.7,"s_to_c_min":1474,"s_to_c_avg":1483.4,"s_to_c_max":1484,"s_to_c_stddev":2.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720901262544,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00875{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":324,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":324,"pkt_l4_len":290,"thread_ts_usec":1436720901262544,"pkt":"ABsv8H60QPMIw47hCABFAAE2VBZAAEAGt67AqABnUlUamZHmAFCdoJYSxR9Z0oAYDfbnvwAAAQEICgAD66tZ6cc2R0VUIC9ocGhvdG9zLWFrLXhmYTEvdDUxLjI4ODUtMTUvZTM1LzExMjQ4ODI5Xzg1Mzc4MjEyMTM3Mzk3Nl85MDk5MzY5MzRfbi5qcGc\/c2U9NyBIVFRQLzEuMQ0KSG9zdDogcGhvdG9zLWEuYWsuaW5zdGFncmFtLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KVXNlci1BZ2VudDogSW5zdGFncmFtIDcuMS4xIEFuZHJvaWQgKDE5LzQuNC4yOyA0ODBkcGk7IDEwODB4MTkyMDsgc2Ftc3VuZzsgR1QtSTk1MDU7IGpmbHRlOyBxY29tOyBpdF9JVCkNCg0K"} 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720901262544,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-a.ak.instagram.com","http": {"url":"photos-a.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11248829_853782121373976_909936934_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} @@ -75,7 +75,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":344,"source":"instagram.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1436720908466005,"flow_dst_last_pkt_time":1436720908518251,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720908518251,"pkt":"QPMIw47hABsv8H60CABFAAA0kN9AAFUGV5QfDV00wKgAZwG7g+MQ445PobbjVYAQANn+UgAAAQEICvAgscMAA+57"} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":345,"source":"instagram.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720908521089,"flow_src_last_pkt_time":1436720908521089,"flow_dst_last_pkt_time":1436720908521089,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720908521089,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38817,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"instagram.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1436720908521089,"flow_dst_last_pkt_time":1436720908521089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720908521089,"pkt":"ABsv8H60QPMIw47hCABFAAA0\/y1AAEAGBcbAqABnLiFGoJehAFBl4Bu99+Pb34ARFTc19wAAAQEICgAD7oGa3vT1"} -01191{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":31,"flow_avg":239371.3,"flow_max":7321503,"flow_stddev":1273064.2,"c_to_s_min":92,"c_to_s_avg":587848.4,"c_to_s_max":7321503,"c_to_s_stddev":1945474.6,"s_to_c_min":31,"s_to_c_avg":939.6,"s_to_c_max":3632,"s_to_c_stddev":970.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":66.0,"c_to_s_max":66,"c_to_s_stddev":0.0,"s_to_c_min":1337,"s_to_c_avg":1476.3,"s_to_c_max":1484,"s_to_c_stddev":32.8}}} +01191{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":31,"flow_avg":237350.0,"flow_max":7321503,"flow_stddev":1293384.0,"c_to_s_min":92,"c_to_s_avg":611666.3,"c_to_s_max":7321503,"c_to_s_stddev":2023092.4,"s_to_c_min":31,"s_to_c_avg":939.6,"s_to_c_max":3632,"s_to_c_stddev":970.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":66.0,"c_to_s_max":66,"c_to_s_stddev":0.0,"s_to_c_min":1337,"s_to_c_avg":1476.3,"s_to_c_max":1484,"s_to_c_stddev":32.8}}} 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":347,"source":"instagram.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720908523744,"flow_src_last_pkt_time":1436720908523744,"flow_dst_last_pkt_time":1436720908523744,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720908523744,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":51219,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -141,12 +141,12 @@ 01177{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":466,"source":"instagram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720942580781,"flow_src_last_pkt_time":1436720942580781,"flow_dst_last_pkt_time":1436720942580781,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":255,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":255,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":255,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720942580781,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58053,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-g.ak.instagram.com","http": {"url":"photos-g.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11379284_1651416798408214_1525641466_n.jpg","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} 02448{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":467,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1436720942530885,"flow_dst_last_pkt_time":1436720942592195,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720942592195,"pkt":"QPMIw47hABsv8H60CABFAAW+MAFAADkG3jJSVRqiwKgAZwBQ4sRSEEyML7VmbIAQAggFiAAAAQEIClYL0tgAA\/vKSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBUaHUsIDA5IEp1bCAyMDE1IDIxOjI4OjQ3IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTE3NzgwDQpEYXRlOiBTdW4sIDEyIEp1bCAyMDE1IDE3OjA5OjAyIEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0xMjA5NjAwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AfFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABfHAIoAFpGQk1EMjMwMDA5NjkwMTAwMDA4NzQ5MDAwMDFlNjAwMDAwZmE3MzAwMDA2M2U0MDAwMGEyMzYwMTAwZTk2MDAxMDAxMmNjMDEwMDdkMTQwMjAwZGE1ZjAyMDAA\/9sAQwAHBwcHBwcMBwcMEQwMDBEXERERERceFxcXFxceJB4eHh4eHiQkJCQkJCQkKysrKysrMjIyMjI4ODg4ODg4ODg4\/9sAQwEJCQkODQ4ZDQ0ZOyghKDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7\/8IAEQgEOAQ4AwEiAAIRAQMRAf\/EABwAAAEFAQEBAAAAAAAAAAAAAAQAAQIDBQYHCP\/EABoBAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb\/2gAMAwEAAhADEAAAAO9N4sXTDu15V0zXWqS6eeKmgreaCCmgg7uEVJBFpoIqbJxUnCLu4QeTiZpSHB3cGdOqZ3QRk7jdJJupIE7IbunTdJ01OMhpJ0O7ON3aSOfwekxeD0uW5b1DncnTsA9NJjtugMD53fqZhIgWgSaAtbEsWQtyzLPTnJhkzlli0uis5Bw7O7irEdfDm7Q3o5VwFjvEUYqlhUYWiOMp6HN4L9xoRfHbOtZDzdIqnt5UkurlUXoRcsXKR16897uavZ1aZJAySBM7AzpAoyQRQgyWmsrLZ1OZUcAMdHNE+Pr4jXWjcf5Yn6n5BjRjQdkY2Ci0j2KtwOa\/UpM3ThJRs3xi0n0mLpwZpOEVJkou7MSd02Z3ZFpOEHkgZ06GTuOLuhNJONJONnSQ6khpJwSdxp0k3SkN0kh3Zxu7STU1Wnghs\/P2jYmxyVZaPV5dg9EEcFEMbREli20VTekwDSyB3KDNbYk3lNtwDNIYAe3by0E+sjys0+hryZgbUO7JtFhyPAtU9x0fnXT5Pe0s8iDQmLcK2RFHXhU6XTyJnQ28l6vzLNitasqL77zvTx19X0ci6zQXnPPdfP7MvnHFT+lsL59dHsm\/89emZV6Rwnnza5jdZxo6r1zovBcxn0zk+Fuz0rN88YOj54WAHVCQZESpRo6asDUEg+pcTzW\/zOv0wrwT2tqjD9I4GWD0GFZpn3V3jttz7jDCvpQgFzWGnoul5+tsu35+PE65+hGeTZlT7uR8ydJvn72\/jvpsaaqz69ctVZ2lpLKT0oqTAk8hxUkhJOCdONJONpJwUoyTdncE6dNSUk25Pb4401KwD+XrjwXoWViQow+4a5bP6vJ0nnR9YKwCs6sKb6awPu58RHXNxxs1uwH0ZoswO2Gbbm0i2IA2jMsDvRdUaULFs2KwzolWtLXv2s7q0nGSLJCq2zNhzG32cRjcZ5mHvkvmnpYZ\/G44avfLzN1IbE7nlky\/T\/MstLZrG1W\/PSfZOu5d\/ArvpDw\/t5uJCKz6NPKChFXSGiq1p59mmZDDhAbKIjC40UhbGFKqLSdOLO4MkkfQh1cJjj+O9GqqPQOf5vU87txCsYGo7vZ879onVefdz8yDmjOv7+Tz\/pFy8v0="} 02456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":468,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_src_last_pkt_time":1436720942530885,"flow_dst_last_pkt_time":1436720942592409,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720942592409,"pkt":"QPMIw47hABsv8H60CABFAAW+MAJAADkG3jFSVRqiwKgAZwBQ4sRSEFIWL7VmbIAQAghpXgAAAQEIClYL0tgAA\/vKkxiut5qB26Ow9Pj8+yfWMCa4DUGy+Ho3+c5jmKfpvReNdKH0EH5lbcbz+eZjXvWt849W37RLwLcqfYn89ApepLzJrn01eX8qj3x\/Byg9vl4hMftksS8eq4V9yQ9dg87nd3j8t6NPn9HZ78M8\/m15\/SI4iV0+Hr5YZdJFWiriRaANGqKgC2yBU5D1y9AGO5LwC+hZAOnTCa0b8GSfSXc3ZK6AUI8M2\/RlL0N3AaXqkYlae70WFvXE\/MysjfHhicTX059\/nyudDYrqom8O\/SwbXeAYWCl2HDbeHOmh0nFvU+hbHnPQ5vucrmudw17ngsyPVk8VHSYNOA4HAkiaZ9LkB4VlFV6oQoQoqHF7YpwjYwQuo3UsJOh\/RGPbfOPDFikaxDY4DU5OkkXmo2bPofj3YqtI3A2tMe8H5Nt8O55y1B5\/7N5\/Hj7N63x3O1z+g38A6wXb+eEc9NDyaVW6IJldX6R5B6ZmuRoJAaDtPubZt\/FrO\/ofNxI07nn+e9Kt8ed1WPUA43vniOOoe+MdtjoYlp8vJuziWF9ZSfTEwvQuT1MrucEnl3NmPfozec2Q8b4rocvm7XZ0ZulcvKtUOGRAQ4+gnWZDVgPNWhEKtHOpze6ZyDRXdX8BKT0GfAkRXbz40uX19WJqIDO0OmFTszkplJub3z+cPQ\/JvQ6z862sGNz1mVnCXPSY4Ty9OzHqpGSzpKihVIIPNmVKcRNOqLCYDILVVeEY398LgV1vOVI9RE0wT4QEQJpSDAaZU3nNoOD251yCtoLfS5daqb9QCMzcp43dzem6ufhS6Oew6aI6IVlfacgTJtbFeleWXZh0ue8o8\/FVehcsDozfPVyqd2beAaLdw7AEWuPBsy\/NtRo7nK6amwzE7wely5\/Li6bHG7EM3mel42aI9A86edPRMPG0Ly9C4IXGVdSXyWneZ42VsFYuj6kTogdbNyRn62pnUvPuruzMr3A+oweXcoviYt9jgW6815zm+k8\/tAB\/OBUuybA1gvm903GUlLnZS6ZF4KFr24FYdVfxNcHoN\/nFir0ejjdiS\/RN6WHm6VtwnvhPbN\/CPbfkffMXtuX3qjh3relJQiEoMQKEpOyKasJqDId1NjV21hXC6QDvdJEJVO1s\/Q\/zN6OTm8v3oOGonI9l57alQUrkXYpZMcsGthFgcg05VXIYrOJRhIhUfQ\/A63I8zG3eKzunHr8oC2NDAbQaOkGxtKX2WhycdMdrn93jLkKuKz3vZ9JmVLTQZa3BEZ0bqBxVlISUosM18C1LstzjfR8zjgcXvgyeor56XydIvT6GCMTACyMtUrgCKhlE19BSC9tDF2gkO5dOOJom5fPt2VnLbnJsVlaDDEPHHuS8fSny7ebZ3qPK2w9TgzU+rEx8ulpAaNFzDbyos643zk7Ou5p5O+X0FYusqEnp3Q6dbPtiuk0uU14ejc98q24cupIjGzSHlDhtF575ZOO+XSVH4SnEqKawNGGtZiJmIRtjEC5UnTQtnUn51xEfWfPtM8B7b2wbSKwHWlcGMSfEWVosImWLXNObHxqcs3YBBYOiCN6LkB4epBLK0KLAqqCHVFoZN\/S\/La3Ded0EcjPZ3z3AN\/GxrIy9iG8YgvWH1PnkuwzLWQPtqlhubqs540iAhZVVsNHpgy+LaCMldVgpipyGjRNCQdSLo8zK5\/dN6RMPzzXjRmF7eCA9vW05aci1898xYkdUwXtNbK2ik7MtyrTKySLWrnk2azz+9hky9fQzRuXXXQYOOm8sLU6Mz+T6DMig+c38yaBw+rLTxauj59VjG6rUoWWXRciQb8rJMP0s6wZdhrOeI1OpspY+oXQgyBjtBm3CyFWZNgavivsvzz15cAGTDTH0Hz\/1jzPKsrUpltBIzz0jO0ZWIpZqARY="} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720942530885,"flow_src_last_pkt_time":1436720942601472,"flow_dst_last_pkt_time":1436720942602785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":23009,"midstream":1,"thread_ts_usec":1436720942602785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58052,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":4805.6,"flow_max":62164,"flow_stddev":14831.5,"c_to_s_min":31,"c_to_s_avg":5458.5,"c_to_s_max":62164,"c_to_s_stddev":15399.1,"s_to_c_min":30,"s_to_c_avg":4229.4,"s_to_c_max":61310,"s_to_c_stddev":14287.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":83.3,"c_to_s_max":326,"c_to_s_stddev":64.9,"s_to_c_min":396,"s_to_c_avg":1419.5,"s_to_c_max":1484,"s_to_c_stddev":255.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720942530885,"flow_src_last_pkt_time":1436720942601472,"flow_dst_last_pkt_time":1436720942602785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":23009,"midstream":1,"thread_ts_usec":1436720942602785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58052,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":4596.4,"flow_max":62164,"flow_stddev":15022.2,"c_to_s_min":31,"c_to_s_avg":5041.9,"c_to_s_max":62164,"c_to_s_stddev":15857.7,"s_to_c_min":30,"s_to_c_avg":4229.4,"s_to_c_max":61310,"s_to_c_stddev":14287.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":83.3,"c_to_s_max":326,"c_to_s_stddev":64.9,"s_to_c_min":396,"s_to_c_avg":1419.5,"s_to_c_max":1484,"s_to_c_stddev":255.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":541,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950909974,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1398,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950909974,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":541,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950909974,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"thread_ts_usec":1436720950909974,"pkt":"QPMIw47hABsv8H60CABFAAWqgMlAAFYGaDQfDVY0wKgAZwBQ42ig4vcaLhm0z4AQADsFTwAAAQEIChPCQpUAA\/8J\/RR\/Qw44auNd5sy65M8X7sSNLvesqLPp\/hWIEgj7u\/c3G33+CGWHr5NjTBvseCa33d9vm54JLq\/16uWtfE8LiAl4wMLDP475fV1R18fJlgWHzmvfo5rv8qseyXDb2HUuXqKoKX0JEHYQ4SCsd7x2l6PL5eytk2f\/kmJp\/iODsxx2N\/N4UQwH1r7vqSLq\/y5DElOXzRARZUzbImejgsz5wOzVgeOngfBrQtGX6fL5DmkthCiZgx4mBvjCvzFR0YP1xM0OXv+CShnIqVrP5zMdqJDyzU483pE+34fsEdDMZT4JhGoy\/98gru4qi0lyXyEksrGabld776ByfJIVVp4RivH8YLNUqtpfCVBnMTiA7j\/sfl7slzSCJaM2S8tAkbhjEusFLl75fI1asIxOiRsWcrVhmx\/PbZlpNd4K8\/v2iJLC1YElBY1y9j56WJc0LPwne+0suiyX3kgj3Fb6y+5RCsQCy2EKLdhWRbyLYVKkL4lX1A\/hBl\/EQkdQU6AhwlzHoU9XC8zrf\/sv+pTGiGgMczA3HQL0c6iXziIlynBHwH6WDIGpFhs4sIl7R4Y0SaCPOZA1lnMfjRJoKCOWKLZc4VEiazWUhaMala+ExIJc2XmtrYy\/iRYyo+LY2ytYUtBbJwRglHwtVOPffxRf4sv1nIag0M0miGXxU6GsLdqvokImfUh+1xnyRB2wekFeanQUhm7KU2GNA\/Wut8I6Yh\/BrGK2ISAtFCkh5uw9+EN15dd79TckDZ5M\/1IXL8vqbu\/hTG\/JfucZfR3dz3L3c+OhdygQW8UzKVOFvvFE3uZQnd322DAH7zC3LRHAXbCjqHBmwf2whhpegjLfm6RfL+z+IzmMokA9e2qfVhZ6xYQdwpjxowXA\/a0hFuEIYBqgg2RBxOTW9B0lNexKZj7L7myCIQt5asMs3OULjIFOSJmLxUIk3Q37w4ymEfVUM4Q7YQrd2Q7D7oXQeE3jsBBmSxiRovqahgnBN4hvIeCZZMLY1uvosfkYR3vNLSiHuKZeam\/RFQJomYqTPcrO3yya\/L8n\/bJvfwlRzHWNuu76VGEBOTSmIQrzPwlvzfa91FS9xmltfjK8v2vivjQ79d9wnDovM7E8heMjng\/L76qTSur9Xu++liqI9lESwcV36\/iMv+UhBAvwlNl9yFOXzTHExcfuKxDjy2WcT\/yjID\/XwdhLUHYsgQ9jzrKZiitJYPrb03G\/4eqDHUUFspftslQp6lFXZbtMgT+PtX+iul7L97VDMHXGdwaI8TzZ6\/jXre8vnY2F+CmIZKNEjnJpMB39UHX\/p7\/3FfZpIUwHcB3IlgFw2RAH5dbcIGzC1nhuJYVIQctqJ04wUFMG9bZhr46HZ73BXAQuUhUW68mxXOEcSUvu6IiD4944qVAoG\/m5vfXCzer8TXXbtxGJy\/lJZWKxmuOzEdM\/69tZAld3d7Oi+E\/\/wSXdP1F9r8RHsvFnMaKa\/Gb3fFq120z5cfUI5ObITs4O5x1e\/k2SP4T55SQ1l\/\/E7jbfd3y\/W+K4YanQb4PNdLvnwtOUEVU10v172Jve733E93FYrd8\/r7COigUu\/j7zMkQoWBxC6yXxRL8fBFpX1\/jifjboOb9QR4q79l+S7kBZXF3dpMduttP55\/mpWYFflzvfd\/Hx+Ie9ijit30tVfYliZvDoVqX8Iibo18xmX2SURsTLcDlv6t9hYNRdUnFiX1r9e4\/4uD+iVcRBUU8hc0fHv5tu\/ghpv97F5dOxeZj2CiEjpYqtM2N6y9Ex9X2v34njvtqIprtcVwGtsEjAY8n2yd95fX6LnY6678J3vfovd9+pLl7ZMl\/\/3mgopvtAOiqdmdl8m1KgVxW1IDqxnD5Yq+7jVsvs"} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950910341,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720950910341,"pkt":"ABsv8H60QPMIw47hCABFAAA0TetAAEAGtojAqABnHw1WNONoAFAuGbTPoOL3GoAQH8w2dwAAAQEICgAD\/xATwkKT"} 02439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":1436720950911439,"flow_dst_last_pkt_time":1436720950910341,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"thread_ts_usec":1436720950911439,"pkt":"QPMIw47hABsv8H60CABFAAWqgMpAAFYGaDMfDVY0wKgAZwBQ42ig4vyQLhm0z4AYADulrQAAAQEIChPCQpYAA\/8JIuSEmFKcHvUO79IuA4AtgLK1ooHfe\/xvCx6EanjcjDye5qfYfg99btIFMlfpEyS0+WXx48YQQIBKyWOQayb5WbhMWSz8Ru7MV\/a5RJtywzl84iv9BLl6PdqXz3kxPZm4yY8HdjILE3vdfyWVN0pVFaKK+f+Osc32N80bLx0naY6\/StT9w4Neeouf2Tn\/vkhhHb5a5vAV9Sx5efQ\/Fatqq174n5ea7v9ir3vf4yK3Pnlx3v3fywdfv\/ld3jdWI6CQY9xByO962aeABxBaD0Ff8vq65YOluUkGW\/xG5p7nyyq1NumgVeaWXPx2O3qpBCTyam4Mj9KNa9CLu77T788mzfZZLswHVfevJGWxpG6er55a4je67Jde+KzsbHfq771q7M2+z\/WWJw+2E3Gv8+Ffd+tBC77nzd2bXmu\/clj6qf9o8rFbG7XiKrvvv6XxVyXfvsflY+OxHlh7gk3Z3+CHdjx7fieVi8bxm781fQKvN8eNlagx6Pt3\/NOSAfXLBsZ085Sli5c\/HVLg4fEITYcZuYfT1VtMLoUR\/it2aocyhvwSZMTvD5t065r2N7JUsZycS8vq283r4S3bSl8\/xBhG2Ci5YyWnWnN8pxV7z+JfURJd7rip6XefL+Ju6T2Uxe8n5uUueW8j7FWxyhWWeGt2YWoIb6BgT6P7uCHnx\/HwXcNPzZiXBYPY6liIwioP5BO9O7zdXvrl6Ju71WJu93dF9e+W764JLl\/1aJkh+a8yX4S4lMe7dI+73eX7WiDQUaZve75ZfLkLUJX2tpOX0s4hxEi8nbq2h\/\/mvflq9RBfYRrfTdMUcVv5e78i9rwQyT\/Sl\/1zQY9T8g\/Uty51S6PL8o6JLB8VrQkT8ugJnmu83Eyez2e5Qy1+W7Aw4JHINbEb3Lj395YP7YvjhcMBXfvXJ44Z+Ixmnuj5fXvqryZ8aIvNfJRrTESolEZ4VaoKtE96vFFfwld9u321frxC3vvk10K23e7KuXiuSPeX78kEfFYr7eXpJxFpezOY6TshceqnnmzDJNaHyWEjeK+xtg7siFQxNUarW6raVTT\/fwlt3m1+qIhVuJsRCxFdbFXtQf9\/RdIuTCv1R7IUVly5mtgVW\/5h5d378ta7e\/5QkWm71LXLL\/Y\/yuCATBPFbu75ZM1tF4Xr2urFPeZ1jp6PYqu0ysRtkUSKOnvSvJ9F0HEq\/Rr4RDbTxd+7uU\/Q0X5NSa4riJq7\/YqaIUW4dNr2MWX30vRqr09mqvna6y\/VdiohYPHuWzpM\/5V791hHspd591pkzSvTJiOetcEmlGTx05fm5r+E5WPIYg3+Ld5OiDJCb38Xd9ysF92RKCKwntddXfaT3LP\/4K7yaDr4HbV6D7vh8Ru7u\/ShH0gWZxKK93e\/u7nhshKX\/8u99ZHz6WcFOZh7FbiudjfLamk58fUJd3H2j6sTr\/E4xQhYhPxokXSHH53b6EIn4I8kGvoiAAQAAAAAAACAYAavAAAAAgECXIEAAAAAAAAAAAAAAAACAAWcAAAAZwAAAAUAAQABAAAAAIBgBrAAAAACAQJcAQAAAAAAAAAAAAAAAAIABZwAAABnAAAFoQABAAEAAAAAgGAGsQAAAAIBAlwBAAAAAAAAAAAAAAAAAgAFnAAAAGcAAAs9AAEAAQAAAACA4AayAAAAAgECXEEAAAAAAAAAAAAAAAACAAFNAAAAZwAAENkAAQABARggBwEYIAcAABVgQZrjwgqFiDcfxdYWFjNTGhc\/+kWorCzCP06aQacK5fU3p2bDv4QjGkzRtJEnNbVPk\/10ykQi0ZJ4s6VFQ2Ko59C0bD2u1KUtTyS\/\/DlRe1HhoMlOd6CAkkRYQkwPPOx2Ho6SCe9GzaPNROS+"} -01196{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":259847.7,"flow_max":8288665,"flow_stddev":1442018.2,"c_to_s_min":30,"c_to_s_avg":395339.2,"c_to_s_max":8288665,"c_to_s_stddev":1765001.4,"s_to_c_min":367,"s_to_c_avg":1181.9,"s_to_c_max":2075,"s_to_c_stddev":539.1},"pktlen": {"c_to_s_min":1464,"c_to_s_avg":1464.0,"c_to_s_max":1464,"c_to_s_stddev":0.0,"s_to_c_min":66,"s_to_c_avg":66.0,"s_to_c_max":66,"s_to_c_stddev":0.0}}} +01176{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":30,"flow_avg":853.5,"flow_max":2198,"flow_stddev":594.0,"c_to_s_min":30,"c_to_s_avg":673.0,"c_to_s_max":2198,"c_to_s_stddev":543.2,"s_to_c_min":367,"s_to_c_avg":1181.9,"s_to_c_max":2075,"s_to_c_stddev":539.1},"pktlen": {"c_to_s_min":1464,"c_to_s_avg":1464.0,"c_to_s_max":1464,"c_to_s_stddev":0.0,"s_to_c_min":66,"s_to_c_avg":66.0,"s_to_c_max":66,"s_to_c_stddev":0.0}}} 00915{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"HTTP.Facebook","proto_id":"7.119","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","http": {}}} 00916{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"HTTP.Facebook","proto_id":"7.119","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","http": {}}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":645,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952553865,"flow_dst_last_pkt_time":1436720952553865,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1418,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952553865,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -160,7 +160,7 @@ 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952563081,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952563081,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":27124,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1436720952563081,"pkt":"ABsv8H60QPMIw47hCABFAABH\/7VAAEARadHAqABnCAgICGn0ADUAM87BrqQBAAABAAAAAAAACHBob3Rvcy1iAmFrCWluc3RhZ3JhbQNjb20AAAEAAQ=="} 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952563081,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952563081,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":27124,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Instagram","proto_id":"5.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-b.ak.instagram.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01192{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":31,"flow_avg":40226.9,"flow_max":1247254,"flow_stddev":216791.5,"c_to_s_min":61,"c_to_s_avg":74601.1,"c_to_s_max":1247254,"c_to_s_stddev":293165.3,"s_to_c_min":31,"s_to_c_avg":1269.5,"s_to_c_max":3846,"s_to_c_stddev":1200.5},"pktlen": {"c_to_s_min":1484,"c_to_s_avg":1484.0,"c_to_s_max":1484,"c_to_s_stddev":0.0,"s_to_c_min":66,"s_to_c_avg":66.0,"s_to_c_max":66,"s_to_c_stddev":0.0}}} +01180{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":31,"flow_avg":1290.6,"flow_max":3846,"flow_stddev":1167.1,"c_to_s_min":61,"c_to_s_avg":1310.3,"c_to_s_max":3785,"c_to_s_stddev":1134.6,"s_to_c_min":31,"s_to_c_avg":1269.5,"s_to_c_max":3846,"s_to_c_stddev":1200.5},"pktlen": {"c_to_s_min":1484,"c_to_s_avg":1484.0,"c_to_s_max":1484,"c_to_s_stddev":0.0,"s_to_c_min":66,"s_to_c_avg":66.0,"s_to_c_max":66,"s_to_c_stddev":0.0}}} 00901{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00902{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":737,"source":"instagram.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952611482,"flow_src_last_pkt_time":1436720952611482,"flow_dst_last_pkt_time":1436720952611482,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952611482,"l3_proto":"ip4","src_ip":"46.33.70.150","dst_ip":"192.168.0.103","src_port":80,"dst_port":40855,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -173,7 +173,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":747,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1568796253784713,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1568796253784713,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGAsrAqAIRHw1WNMDLAbuZigak9a8KwoAQCAwKkgAAAQEICg1wcq86Lg6w"} 01124{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":748,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253784771,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796253784771,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.2","ja3":"7a29c223fb122ec64d10f0a159e07996","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01176{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":750,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253784771,"flow_dst_last_pkt_time":1568796253798864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1568796253798864,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"7a29c223fb122ec64d10f0a159e07996","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} -01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":776,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253821857,"flow_dst_last_pkt_time":1568796253819210,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":498,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":784,"flow_dst_tot_l4_payload_len":17805,"midstream":0,"thread_ts_usec":1568796253821857,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":23810534.0,"flow_max":761836225,"flow_stddev":132553336.0,"c_to_s_min":58,"c_to_s_avg":54420568.0,"c_to_s_max":761836225,"c_to_s_stddev":196201808.0,"s_to_c_min":7,"s_to_c_avg":2727.4,"s_to_c_max":16542,"s_to_c_stddev":5332.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":122.9,"c_to_s_max":564,"c_to_s_stddev":135.3,"s_to_c_min":66,"s_to_c_avg":1055.6,"s_to_c_max":1454,"s_to_c_stddev":578.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":776,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253821857,"flow_dst_last_pkt_time":1568796253819210,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":498,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":784,"flow_dst_tot_l4_payload_len":17805,"midstream":0,"thread_ts_usec":1568796253821857,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":3252.7,"flow_max":16760,"flow_stddev":5626.7,"c_to_s_min":58,"c_to_s_avg":3980.1,"c_to_s_max":16760,"c_to_s_stddev":5933.7,"s_to_c_min":7,"s_to_c_avg":2727.4,"s_to_c_max":16542,"s_to_c_stddev":5332.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":122.9,"c_to_s_max":564,"c_to_s_stddev":135.3,"s_to_c_min":66,"s_to_c_avg":1055.6,"s_to_c_max":1454,"s_to_c_stddev":578.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2070,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796254514906,"flow_dst_last_pkt_time":1568796254514906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796254514906,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2070,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1568796254514906,"flow_dst_last_pkt_time":1568796254514906,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1568796254514906,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGAr7AqAIRHw1WNMDNAbsBxqpOAAAAALAC\/\/8NqAAAAgQFtAEDAwYBAQgKDXB1TAAAAAAEAgAA"} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2071,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254515573,"flow_dst_last_pkt_time":1568796254515573,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796254515573,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -192,8 +192,8 @@ 01176{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2088,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796254529128,"flow_dst_last_pkt_time":1568796254539971,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":1016,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254539971,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2092,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254531371,"flow_dst_last_pkt_time":1568796254543357,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":529,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":948,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254543357,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2098,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254539348,"flow_dst_last_pkt_time":1568796254551766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":513,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":932,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254551766,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2163,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254710630,"flow_dst_last_pkt_time":1568796254725634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1587,"flow_dst_tot_l4_payload_len":13458,"midstream":0,"thread_ts_usec":1568796254725634,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":12793.3,"flow_max":158859,"flow_stddev":36157.7,"c_to_s_min":5,"c_to_s_avg":13883.8,"c_to_s_max":142763,"c_to_s_stddev":35084.4,"s_to_c_min":68,"s_to_c_avg":11831.1,"s_to_c_max":158859,"s_to_c_stddev":37052.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":172.6,"c_to_s_max":637,"c_to_s_stddev":200.3,"s_to_c_min":66,"s_to_c_avg":858.1,"s_to_c_max":1454,"s_to_c_stddev":596.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2187,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254765378,"flow_dst_last_pkt_time":1568796254925955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2208,"flow_dst_tot_l4_payload_len":12690,"midstream":0,"thread_ts_usec":1568796254925955,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":21058.6,"flow_max":156515,"flow_stddev":44557.9,"c_to_s_min":111,"c_to_s_avg":18820.9,"c_to_s_max":156515,"c_to_s_stddev":40159.6,"s_to_c_min":7,"s_to_c_avg":22799.0,"s_to_c_max":155644,"s_to_c_stddev":47626.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":224.6,"c_to_s_max":654,"c_to_s_stddev":239.4,"s_to_c_min":66,"s_to_c_avg":771.4,"s_to_c_max":1454,"s_to_c_stddev":614.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2163,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254710630,"flow_dst_last_pkt_time":1568796254725634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1587,"flow_dst_tot_l4_payload_len":13458,"midstream":0,"thread_ts_usec":1568796254725634,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":12492.0,"flow_max":158859,"flow_stddev":36696.7,"c_to_s_min":5,"c_to_s_avg":13294.6,"c_to_s_max":142763,"c_to_s_stddev":36244.1,"s_to_c_min":68,"s_to_c_avg":11831.1,"s_to_c_max":158859,"s_to_c_stddev":37052.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":172.6,"c_to_s_max":637,"c_to_s_stddev":200.3,"s_to_c_min":66,"s_to_c_avg":858.1,"s_to_c_max":1454,"s_to_c_stddev":596.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2187,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254765378,"flow_dst_last_pkt_time":1568796254925955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2208,"flow_dst_tot_l4_payload_len":12690,"midstream":0,"thread_ts_usec":1568796254925955,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":21296.4,"flow_max":156515,"flow_stddev":45250.9,"c_to_s_min":111,"c_to_s_avg":19215.8,"c_to_s_max":156515,"c_to_s_stddev":41649.3,"s_to_c_min":7,"s_to_c_avg":22799.0,"s_to_c_max":155644,"s_to_c_stddev":47626.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":224.6,"c_to_s_max":654,"c_to_s_stddev":239.4,"s_to_c_min":66,"s_to_c_avg":771.4,"s_to_c_max":1454,"s_to_c_stddev":614.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00763{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00769{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1436720908576723,"flow_src_last_pkt_time":1436720908733491,"flow_dst_last_pkt_time":1436720908662568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":226,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":4267,"midstream":0,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00769{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1436720908577363,"flow_src_last_pkt_time":1436720908737520,"flow_dst_last_pkt_time":1436720908665956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":226,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":4267,"midstream":0,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -243,9 +243,9 @@ 01125{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2224,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265162908,"flow_dst_last_pkt_time":1568796265159201,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":404,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":404,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796265162908,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.2","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2230,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265162734,"flow_dst_last_pkt_time":1568796265175583,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796265175583,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2231,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265163365,"flow_dst_last_pkt_time":1568796265176036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796265176036,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} -01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2260,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265180861,"flow_dst_last_pkt_time":1568796265192260,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":20310,"midstream":0,"thread_ts_usec":1568796265192260,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":321860.8,"flow_max":10220349,"flow_stddev":1777827.1,"c_to_s_min":13,"c_to_s_avg":854520.7,"c_to_s_max":10220349,"c_to_s_stddev":2823907.5,"s_to_c_min":27,"s_to_c_avg":2264.9,"s_to_c_max":16353,"s_to_c_stddev":4539.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":151.5,"c_to_s_max":592,"c_to_s_stddev":173.1,"s_to_c_min":66,"s_to_c_avg":1081.9,"s_to_c_max":1454,"s_to_c_stddev":582.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2675,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796265194500,"flow_dst_last_pkt_time":1568796265280665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":10887,"midstream":0,"thread_ts_usec":1568796265280665,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":670574.1,"flow_max":10469815,"flow_stddev":2523230.5,"c_to_s_min":106,"c_to_s_avg":712840.9,"c_to_s_max":10413415,"c_to_s_stddev":2592930.0,"s_to_c_min":6,"s_to_c_avg":633279.9,"s_to_c_max":10469815,"s_to_c_stddev":2459488.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":211.5,"c_to_s_max":663,"c_to_s_stddev":230.1,"s_to_c_min":66,"s_to_c_avg":706.9,"s_to_c_max":1454,"s_to_c_stddev":603.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2811,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265327859,"flow_dst_last_pkt_time":1568796265324773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":15077,"midstream":0,"thread_ts_usec":1568796265327859,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":330591.9,"flow_max":10220465,"flow_stddev":1776549.2,"c_to_s_min":9,"c_to_s_avg":693416.4,"c_to_s_max":10220465,"c_to_s_stddev":2546409.8,"s_to_c_min":6,"s_to_c_avg":10452.6,"s_to_c_max":131670,"s_to_c_stddev":30768.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":134.4,"c_to_s_max":592,"c_to_s_stddev":158.5,"s_to_c_min":66,"s_to_c_avg":953.4,"s_to_c_max":1454,"s_to_c_stddev":621.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2260,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265180861,"flow_dst_last_pkt_time":1568796265192260,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":20310,"midstream":0,"thread_ts_usec":1568796265192260,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":2554.7,"flow_max":16353,"flow_stddev":4723.5,"c_to_s_min":13,"c_to_s_avg":3081.7,"c_to_s_max":14120,"c_to_s_stddev":4998.8,"s_to_c_min":27,"s_to_c_avg":2264.9,"s_to_c_max":16353,"s_to_c_stddev":4539.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":151.5,"c_to_s_max":592,"c_to_s_stddev":173.1,"s_to_c_min":66,"s_to_c_avg":1081.9,"s_to_c_max":1454,"s_to_c_stddev":582.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2675,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796265194500,"flow_dst_last_pkt_time":1568796265280665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":10887,"midstream":0,"thread_ts_usec":1568796265280665,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":691785.6,"flow_max":10469815,"flow_stddev":2560795.0,"c_to_s_min":106,"c_to_s_avg":762828.1,"c_to_s_max":10413415,"c_to_s_stddev":2676946.0,"s_to_c_min":6,"s_to_c_avg":633279.9,"s_to_c_max":10469815,"s_to_c_stddev":2459488.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":211.5,"c_to_s_max":663,"c_to_s_stddev":230.1,"s_to_c_min":66,"s_to_c_avg":706.9,"s_to_c_max":1454,"s_to_c_stddev":603.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2811,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265327859,"flow_dst_last_pkt_time":1568796265324773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":15077,"midstream":0,"thread_ts_usec":1568796265327859,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":11563.7,"flow_max":131670,"flow_stddev":31792.0,"c_to_s_min":9,"c_to_s_avg":12912.9,"c_to_s_max":129919,"c_to_s_stddev":32942.4,"s_to_c_min":6,"s_to_c_avg":10452.6,"s_to_c_max":131670,"s_to_c_stddev":30768.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":134.4,"c_to_s_max":592,"c_to_s_stddev":158.5,"s_to_c_min":66,"s_to_c_avg":953.4,"s_to_c_max":1454,"s_to_c_stddev":621.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00929{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":456,"flow_dst_packets_processed":910,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796268061460,"flow_dst_last_pkt_time":1568796268058587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":591,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2978,"flow_dst_tot_l4_payload_len":1217228,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":63,"flow_dst_packets_processed":81,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796268054084,"flow_dst_last_pkt_time":1568796268052355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":95612,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00928{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":165,"flow_dst_packets_processed":223,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796268054096,"flow_dst_last_pkt_time":1568796268052381,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":3291,"flow_dst_tot_l4_payload_len":280319,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} diff --git a/test/results/iphone.pcap.out b/test/results/iphone.pcap.out index 0641d0496..afedad613 100644 --- a/test/results/iphone.pcap.out +++ b/test/results/iphone.pcap.out @@ -243,16 +243,16 @@ 01008{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":338,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599929249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454599929249,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00764{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":241,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":241,"pkt_l4_len":207,"thread_ts_usec":1582454599930239,"pkt":"xGGLNYKpxiwDYGpkCABFAADjtQsAAEARP5zAqAIBwKgCEQA1\/jcAz3eX0zSBgAABAAUAAAAABHBsYXkGaXR1bmVzBWFwcGxlA2NvbQAAAQABwAwABQABAAAMOwAmCHBsYXktY2RuDGl0dW5lcy1hcHBsZQNjb20GYWthZG5zA25ldADAMwAFAAEAAAOmACIEcGxheQZpdHVuZXMFYXBwbGUDY29tCWVkZ2VzdWl0ZcBUwGUABQABAAAAXgAUBWExODA2BGRzY2IGYWthbWFpwFTAkwABAAEAAAAOAARce00awJMAAQABAAAADgAEXHtNQA=="} 01025{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":340,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1582454599930239,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","dns": {"num_queries":1,"num_answers":5,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"92.123.77.26"}}} -01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":341,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454598587648,"flow_src_last_pkt_time":1582454599931707,"flow_dst_last_pkt_time":1582454599930073,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2695,"flow_dst_tot_l4_payload_len":5563,"midstream":0,"thread_ts_usec":1582454599931707,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":83979.1,"flow_max":686219,"flow_stddev":168314.3,"c_to_s_min":14,"c_to_s_avg":74717.1,"c_to_s_max":651125,"c_to_s_stddev":153330.2,"s_to_c_min":6,"s_to_c_avg":95887.5,"s_to_c_max":686219,"s_to_c_stddev":185132.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":216.4,"c_to_s_max":1090,"c_to_s_stddev":260.4,"s_to_c_min":66,"s_to_c_avg":463.9,"s_to_c_max":1506,"s_to_c_stddev":573.4}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":341,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454598587648,"flow_src_last_pkt_time":1582454599931707,"flow_dst_last_pkt_time":1582454599930073,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2695,"flow_dst_tot_l4_payload_len":5563,"midstream":0,"thread_ts_usec":1582454599931707,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":86660.8,"flow_max":686219,"flow_stddev":170333.3,"c_to_s_min":14,"c_to_s_avg":79062.3,"c_to_s_max":651125,"c_to_s_stddev":156694.7,"s_to_c_min":6,"s_to_c_avg":95887.5,"s_to_c_max":686219,"s_to_c_stddev":185132.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":216.4,"c_to_s_max":1090,"c_to_s_stddev":260.4,"s_to_c_min":66,"s_to_c_avg":463.9,"s_to_c_max":1506,"s_to_c_stddev":573.4}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599934729,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454599934729,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599934729,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1582454599934729,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGzmnAqAIRXHtNGsWbAbupO4D5AAAAALDC\/\/\/ZMQAAAgQFtAEDAwcBAQgKEd\/tTwAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1582454599967985,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAADUGGW5ce00awKgCEQG7xZtUZWomqTuA+qBScSDQrwAAAgQFrAQCCAozMbcgEd\/tTwEDAwc="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":351,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1582454600080813,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1582454600080813,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGznXAqAIRXHtNGsWbAbupO4D6VGVqJ4AQBAtsOAAAAQEIChHf7eAzMbcg"} 01120{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":352,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600080888,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600080888,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01165{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":364,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600080888,"flow_dst_last_pkt_time":1582454600116695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1582454600116695,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","tls": {"version":"TLSv1.3","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":70045.1,"flow_max":654765,"flow_stddev":144765.5,"c_to_s_min":11,"c_to_s_avg":65504.1,"c_to_s_max":510701,"c_to_s_stddev":123251.4,"s_to_c_min":6,"s_to_c_avg":75883.4,"s_to_c_max":654765,"s_to_c_stddev":168255.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":190.1,"c_to_s_max":1084,"c_to_s_stddev":257.4,"s_to_c_min":66,"s_to_c_avg":472.0,"s_to_c_max":1506,"s_to_c_stddev":576.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":24889.1,"flow_max":147307,"flow_stddev":44050.9,"c_to_s_min":4,"c_to_s_avg":19997.6,"c_to_s_max":146084,"c_to_s_stddev":41631.2,"s_to_c_min":13,"s_to_c_avg":31178.1,"s_to_c_max":147307,"s_to_c_stddev":46224.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":258.8,"c_to_s_max":1506,"c_to_s_stddev":374.3,"s_to_c_min":66,"s_to_c_avg":435.5,"s_to_c_max":1506,"s_to_c_stddev":537.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} -01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":105993.4,"flow_max":803512,"flow_stddev":183222.7,"c_to_s_min":19,"c_to_s_avg":85746.9,"c_to_s_max":655712,"c_to_s_stddev":152305.0,"s_to_c_min":133,"s_to_c_avg":139737.7,"s_to_c_max":803512,"s_to_c_stddev":221445.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":727.2,"c_to_s_max":1506,"c_to_s_stddev":656.4,"s_to_c_min":66,"s_to_c_avg":748.1,"s_to_c_max":1506,"s_to_c_stddev":684.8}}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":67409.2,"flow_max":654765,"flow_stddev":146324.1,"c_to_s_min":11,"c_to_s_avg":60430.4,"c_to_s_max":510701,"c_to_s_stddev":124984.4,"s_to_c_min":6,"s_to_c_avg":75883.4,"s_to_c_max":654765,"s_to_c_stddev":168255.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":190.1,"c_to_s_max":1084,"c_to_s_stddev":257.4,"s_to_c_min":66,"s_to_c_avg":472.0,"s_to_c_max":1506,"s_to_c_stddev":576.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":25541.8,"flow_max":147307,"flow_stddev":44603.2,"c_to_s_min":4,"c_to_s_avg":20900.1,"c_to_s_max":146084,"c_to_s_stddev":42666.7,"s_to_c_min":13,"s_to_c_avg":31178.1,"s_to_c_max":147307,"s_to_c_stddev":46224.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":258.8,"c_to_s_max":1506,"c_to_s_stddev":374.3,"s_to_c_min":66,"s_to_c_avg":435.5,"s_to_c_max":1506,"s_to_c_stddev":537.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} +01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":109285.4,"flow_max":803512,"flow_stddev":185220.7,"c_to_s_min":19,"c_to_s_avg":90052.4,"c_to_s_max":655712,"c_to_s_stddev":155070.8,"s_to_c_min":133,"s_to_c_avg":139737.7,"s_to_c_max":803512,"s_to_c_stddev":221445.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":727.2,"c_to_s_max":1506,"c_to_s_stddev":656.4,"s_to_c_min":66,"s_to_c_avg":748.1,"s_to_c_max":1506,"s_to_c_stddev":684.8}}} 03957{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"p26-keyvalueservice.icloud.com","tls": {"version":"TLSv1.2","server_names":"p62-keyvalueservice.icloud.com,p41-keyvalueservice.icloud.com,p97-keyvalueservice.icloud.com,p28-keyvalueservice.icloud.com,p32-keyvalueservice.icloud.com,p56-keyvalueservice.icloud.com,p33-keyvalueservice.icloud.com,p37-keyvalueservice.icloud.com,p67-keyvalueservice.icloud.com,p70-keyvalueservice.icloud.com,p63-keyvalueservice.icloud.com,p07-keyvalueservice.icloud.com,p52-keyvalueservice.icloud.com,p18-keyvalueservice.icloud.com,p21-keyvalueservice.icloud.com,p17-keyvalueservice.icloud.com,p36-keyvalueservice.icloud.com,p19-keyvalueservice.icloud.com,p26-keyvalueservice.icloud.com,p55-keyvalueservice.icloud.com,p06-keyvalueservice.icloud.com,p23-keyvalueservice.icloud.com,p65-keyvalueservice.icloud.com,p58-keyvalueservice.icloud.com,p35-keyvalueservice.icloud.com,p42-keyvalueservice.icloud.com,p12-keyvalueservice.icloud.com,p15-keyvalueservice.icloud.com,p16-keyvalueservice.icloud.com,p29-keyvalueservice.icloud.com,p39-keyvalueservice.icloud.com,p71-keyvalueservice.icloud.com,p22-keyvalueservice.icloud.com,p40-keyvalueservice.icloud.com,p11-keyvalueservice.icloud.com,p66-keyvalueservice.icloud.com,p68-keyvalueservice.icloud.com,p201-keyvalueservice.icloud.com,p10-keyvalueservice.icloud.com,p61-keyvalueservice.icloud.com,p30-keyvalueservice.icloud.com,p01-keyvalueservice.icloud.com,p14-keyvalueservice.icloud.com,p50-keyvalueservice.icloud.com,p31-keyvalueservice.icloud.com,p47-keyvalueservice.icloud.com,p48-keyvalueservice.icloud.com,p20-keyvalueservice.icloud.com,p51-keyvalueservice.icloud.com,p27-keyvalueservice.icloud.com,p49-keyvalueservice.icloud.com,p03-keyvalueservice.icloud.com,p24-keyvalueservice.icloud.com,p25-keyvalueservice.icloud.com,p08-keyvalueservice.icloud.com,p13-keyvalueservice.icloud.com,p04-keyvalueservice.icloud.com,p05-keyvalueservice.icloud.com,p02-keyvalueservice.icloud.com,p09-keyvalueservice.icloud.com,p57-keyvalueservice.icloud.com,p59-keyvalueservice.icloud.com,p64-keyvalueservice.icloud.com,p38-keyvalueservice.icloud.com,p54-keyvalueservice.icloud.com,p72-keyvalueservice.icloud.com,keyvalueservice.icloud.com,p69-keyvalueservice.icloud.com,p43-keyvalueservice.icloud.com,p45-keyvalueservice.icloud.com,p202-keyvalueservice.icloud.com,p98-keyvalueservice.icloud.com,p34-keyvalueservice.icloud.com,p44-keyvalueservice.icloud.com,p46-keyvalueservice.icloud.com,p53-keyvalueservice.icloud.com,p60-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=keyvalueservice.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D8:84:3B:15:06:49:1C:72:C4:05:C0:F0:82:3B:43:4A:D1:8F:D5:9F"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":419,"source":"iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454600454021,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600454021,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":63677,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":419,"source":"iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1582454600454021,"pkt":"xiwDYGpkxGGLNYKpCABFAABDtJ8AAP8RgafAqAIRwKgCAfi9ADUAL+BtI4YBAAABAAAAAAAABHN5bmMGaXR1bmVzBWFwcGxlA2NvbQAAAQAB"} diff --git a/test/results/ipp.pcap.out b/test/results/ipp.pcap.out index c67b59849..a7fb53fcd 100644 --- a/test/results/ipp.pcap.out +++ b/test/results/ipp.pcap.out @@ -10,7 +10,7 @@ 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1210953938235230,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953938235939,"pkt":"ABtjmL82ABJ5gGlgCABFAAA8U6wAAEAG\/dAKCgr7CgoKMQJ32C61d5gB3HcoNaASFtAB+AAAAgQFtAEDAwABAQgKAFjtJABr7jw="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1210953938235965,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1210953938235965,"pkt":"ABJ5gGlgABtjmL82CABFAAA0xglAAEAGS3sKCgoxCgoK+9guAnfcdyg1tXeYAoAQAC5EXQAAAQEICgBr7j0AWO0k"} 01264{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":22,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938236026,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":144,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1210953938236026,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"10.10.10.251","http": {"url":"10.10.10.251\/ipp\/","code":0,"content_type":"","user_agent":"CUPS\/1.3.4","request_content_type":"application\/ipp"}}} -01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938290667,"flow_dst_last_pkt_time":1210953938297849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":25,"flow_src_tot_l4_payload_len":26572,"flow_dst_tot_l4_payload_len":25,"midstream":0,"thread_ts_usec":1210953938297849,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":3698.3,"flow_max":9119,"flow_stddev":3525.1,"c_to_s_min":5,"c_to_s_avg":2653.6,"c_to_s_max":9104,"c_to_s_stddev":3438.8,"s_to_c_min":709,"s_to_c_avg":5692.6,"s_to_c_max":9119,"s_to_c_stddev":2740.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1331.7,"c_to_s_max":2962,"c_to_s_stddev":799.7,"s_to_c_min":66,"s_to_c_avg":69.0,"s_to_c_max":91,"s_to_c_stddev":7.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938290667,"flow_dst_last_pkt_time":1210953938297849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":25,"flow_src_tot_l4_payload_len":26572,"flow_dst_tot_l4_payload_len":25,"midstream":0,"thread_ts_usec":1210953938297849,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":3808.3,"flow_max":9119,"flow_stddev":3527.0,"c_to_s_min":5,"c_to_s_avg":2771.9,"c_to_s_max":9104,"c_to_s_stddev":3481.8,"s_to_c_min":709,"s_to_c_avg":5692.6,"s_to_c_max":9119,"s_to_c_stddev":2740.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1331.7,"c_to_s_max":2962,"c_to_s_stddev":799.7,"s_to_c_min":66,"s_to_c_avg":69.0,"s_to_c_max":91,"s_to_c_stddev":7.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1210953939430652,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939430652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1210953939430652,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55343,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939430652,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953939430652,"pkt":"ABJ5gGlgABtjmL82CABFAAA8ASxAAEAGEFEKCgoxCgoK+9gvAnfdKfPLAAAAAKACFtBpAQAAAgQFtAQCCAoAa\/LnAAAAAAEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":254,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939431407,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953939431407,"pkt":"ABtjmL82ABJ5gGlgCABFAAA8VFQAAEAG\/SgKCgr7CgoKMQJ32C+1fm4B3SnzzKASFtBa+AAAAgQFtAEDAwABAQgKAFjtJwBr8uc="} diff --git a/test/results/ipsec_isakmp_esp.pcap.out b/test/results/ipsec_isakmp_esp.pcap.out index 6cf22b1e4..c5fbd4673 100644 --- a/test/results/ipsec_isakmp_esp.pcap.out +++ b/test/results/ipsec_isakmp_esp.pcap.out @@ -13,7 +13,7 @@ 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":24,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","packets-captured":24,"packets-processed":23,"total-skipped-flows":0,"total-l4-payload-len":11884,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":946745300340000} 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":42,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":14,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745301909000,"flow_dst_last_pkt_time":946745301906000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":11540,"flow_dst_tot_l4_payload_len":3360,"midstream":0,"thread_ts_usec":946745301909000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00909{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":42,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":946744638499000,"flow_src_last_pkt_time":946745300381000,"flow_dst_last_pkt_time":946745300411000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":4728,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":946745301909000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} -01380{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745723299000,"flow_dst_last_pkt_time":946745723443000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":12356,"flow_dst_tot_l4_payload_len":3648,"midstream":0,"thread_ts_usec":946745723443000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1000,"flow_avg":110598312.0,"flow_max":699136152,"flow_stddev":231393728.0,"c_to_s_min":1000,"c_to_s_avg":137482624.0,"c_to_s_max":699136152,"c_to_s_stddev":257030336.0,"s_to_c_min":4000,"s_to_c_avg":83714000.0,"s_to_c_max":662067000,"s_to_c_stddev":198937184.0},"pktlen": {"c_to_s_min":138,"c_to_s_avg":814.2,"c_to_s_max":1374,"c_to_s_stddev":488.5,"s_to_c_min":122,"s_to_c_avg":270.0,"s_to_c_max":1070,"s_to_c_stddev":229.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01378{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745723299000,"flow_dst_last_pkt_time":946745723443000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":12356,"flow_dst_tot_l4_payload_len":3648,"midstream":0,"thread_ts_usec":946745723443000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1000,"flow_avg":87056800.0,"flow_max":662067000,"flow_stddev":203163760.0,"c_to_s_min":1000,"c_to_s_avg":90678168.0,"c_to_s_max":661960000,"c_to_s_stddev":207584736.0,"s_to_c_min":4000,"s_to_c_avg":83714000.0,"s_to_c_max":662067000,"s_to_c_stddev":198937184.0},"pktlen": {"c_to_s_min":138,"c_to_s_avg":814.2,"c_to_s_max":1374,"c_to_s_stddev":488.5,"s_to_c_min":122,"s_to_c_avg":270.0,"s_to_c_max":1070,"s_to_c_stddev":229.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":61,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":22,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745725650000,"flow_dst_last_pkt_time":946745725647000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":16260,"flow_dst_tot_l4_payload_len":5568,"midstream":0,"thread_ts_usec":946745725650000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00909{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":61,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":8,"flow_first_seen":946744638499000,"flow_src_last_pkt_time":946745723231000,"flow_dst_last_pkt_time":946745723263000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":6304,"flow_dst_tot_l4_payload_len":1360,"midstream":0,"thread_ts_usec":946745725650000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":62,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","packets-captured":62,"packets-processed":61,"total-skipped-flows":0,"total-l4-payload-len":29572,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":4,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":19,"global_ts_usec":946747247312000} diff --git a/test/results/jabber.pcap.out b/test/results/jabber.pcap.out index 2df4ee647..2a3c3ef8a 100644 --- a/test/results/jabber.pcap.out +++ b/test/results/jabber.pcap.out @@ -5,13 +5,13 @@ 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1502379723841804,"flow_dst_last_pkt_time":1502379723842248,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1502379723842248,"pkt":"aFs1pN2oTl6SKSKGCABFAAA8AABAAEAG4NOsEAGKrBAAPhRm3wagxQKCw6iV9qASOJCmRgAAAgQFtAQCCAoAGMyaTgMEJwEDAwc="} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1502379723842315,"flow_dst_last_pkt_time":1502379723842248,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1502379723842315,"pkt":"Tl6SKSKGaFs1pN2oCABFAAA0qcBAAEAGAACsEAA+rBABit8GFGbDqJX2oMUCg4AQICtaDwAAAQEICk4DBCcAGMya"} 00857{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379723843132,"flow_dst_last_pkt_time":1502379723843076,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":138,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502379723843132,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379724444209,"flow_dst_last_pkt_time":1502379724444121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1485,"midstream":0,"thread_ts_usec":1502379724444209,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":218,"flow_avg":5153295.5,"flow_max":163700732,"flow_stddev":28476082.0,"c_to_s_min":218,"c_to_s_avg":9664890.0,"c_to_s_max":163700732,"c_to_s_stddev":38509044.0,"s_to_c_min":374,"s_to_c_avg":40154.5,"s_to_c_max":337303,"s_to_c_stddev":84588.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.4,"c_to_s_max":404,"c_to_s_stddev":88.7,"s_to_c_min":66,"s_to_c_avg":165.5,"s_to_c_max":445,"s_to_c_stddev":115.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379724444209,"flow_dst_last_pkt_time":1502379724444121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1485,"midstream":0,"thread_ts_usec":1502379724444209,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":218,"flow_avg":38862.0,"flow_max":337747,"flow_stddev":84176.8,"c_to_s_min":218,"c_to_s_avg":37650.3,"c_to_s_max":337747,"c_to_s_stddev":83771.1,"s_to_c_min":374,"s_to_c_avg":40154.5,"s_to_c_max":337303,"s_to_c_stddev":84588.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.4,"c_to_s_max":404,"c_to_s_stddev":88.7,"s_to_c_min":66,"s_to_c_avg":165.5,"s_to_c_max":445,"s_to_c_stddev":115.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":89,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175298881,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502380175298881,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175298881,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1502380175298881,"pkt":"Tl6SKSKGaFs1pN2oCABFAABAIwFAAEAGAACsEAA+rBABit8iFGaEgGHPAAAAALAC\/\/9aGwAAAgQFtAEDAwQBAQgKTgnffgAAAAAEAgAA"} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":90,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175299571,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1502380175299571,"pkt":"aFs1pN2oTl6SKSKGCABFAAA8AABAAEAG4NOsEAGKrBAAPhRm3yLL7qcahIBh0KASOJCKxQAAAgQFtAQCCAoAH7AnTgnffgEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1502380175299630,"flow_dst_last_pkt_time":1502380175299571,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1502380175299630,"pkt":"Tl6SKSKGaFs1pN2oCABFAAA0ciBAAEAGAACsEAA+rBABit8iFGaEgGHQy+6nG4AQICtaDwAAAQEICk4J334AH7An"} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":94,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175300064,"flow_dst_last_pkt_time":1502380175300022,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":138,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502380175300064,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175888009,"flow_dst_last_pkt_time":1502380175887945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1483,"midstream":0,"thread_ts_usec":1502380175888009,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":14082257.0,"flow_max":449454035,"flow_stddev":78195128.0,"c_to_s_min":72,"c_to_s_avg":26473128.0,"c_to_s_max":449454035,"c_to_s_stddev":105745256.0,"s_to_c_min":134,"s_to_c_avg":39270.9,"s_to_c_max":336438,"s_to_c_stddev":85322.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.4,"c_to_s_max":404,"c_to_s_stddev":88.7,"s_to_c_min":66,"s_to_c_avg":165.4,"s_to_c_max":445,"s_to_c_stddev":115.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01331{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175888009,"flow_dst_last_pkt_time":1502380175887945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1483,"midstream":0,"thread_ts_usec":1502380175888009,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":38006.2,"flow_max":336798,"flow_stddev":84915.4,"c_to_s_min":72,"c_to_s_avg":36820.5,"c_to_s_max":336798,"c_to_s_stddev":84514.5,"s_to_c_min":134,"s_to_c_avg":39270.9,"s_to_c_max":336438,"s_to_c_stddev":85322.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.4,"c_to_s_max":404,"c_to_s_stddev":88.7,"s_to_c_min":66,"s_to_c_avg":165.4,"s_to_c_max":445,"s_to_c_stddev":115.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380213387324,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1502380213387324,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57126,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1502380213387324,"pkt":"Tl6SKSKGaFs1pN2oCABFAABEEUNAAEAGAACsEAA+rBABit8mFGZE6SgmjZ+UW4AYIABaHwAAAQEICk4Kc24AIDNjPC9zdHJlYW06c3RyZWFtPg=="} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380213387324,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1502380213387324,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57126,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -36,7 +36,7 @@ 00688{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":251,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1502380915481182,"flow_dst_last_pkt_time":1502380915486217,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1502380915486217,"pkt":"aFs1pN2oTl6SKSKGCABFAACsmGdAAEAGR\/ysEAGKrBAAPhRm3z2fGhbwcCeU94AYAP6TqgAAAQEICgAq+5ZOFR2YPG1lc3NhZ2UgdG89J3RvbUBjcy14bXBwLmxhbi9kYXJrc3RhcicgZnJvbT0nY2hhdC13aXRoLXRvbUBjb25mZXJlbmNlLmNzLXhtcHAubGFuJyB0eXBlPSdncm91cGNoYXQnPjxzdWJqZWN0Lz48L21lc3NhZ2U+"} 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":260,"source":"jabber.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":12,"flow_first_seen":1502380724652555,"flow_src_last_pkt_time":1502380725074115,"flow_dst_last_pkt_time":1502380725074074,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":285,"flow_src_tot_l4_payload_len":654,"flow_dst_tot_l4_payload_len":772,"midstream":0,"thread_ts_usec":1502380919392608,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57147,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":260,"source":"jabber.pcap","alias":"nDPId-test","packets-captured":260,"packets-processed":243,"total-skipped-flows":0,"total-l4-payload-len":34275,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":38,"global_ts_usec":1502381519875958} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1502380915481182,"flow_src_last_pkt_time":1502381566576939,"flow_dst_last_pkt_time":1502381566616902,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":463,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":2076,"midstream":1,"thread_ts_usec":1502381566616902,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57149,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":46644956.0,"flow_max":600487770,"flow_stddev":147072336.0,"c_to_s_min":3,"c_to_s_avg":46750160.0,"c_to_s_max":600484177,"c_to_s_stddev":141358368.0,"s_to_c_min":2,"s_to_c_avg":46509696.0,"s_to_c_max":600487770,"s_to_c_stddev":154107776.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":126.3,"c_to_s_max":305,"c_to_s_stddev":77.6,"s_to_c_min":66,"s_to_c_avg":214.3,"s_to_c_max":529,"s_to_c_stddev":140.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1502380915481182,"flow_src_last_pkt_time":1502381566576939,"flow_dst_last_pkt_time":1502381566616902,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":463,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":2076,"midstream":1,"thread_ts_usec":1502381566616902,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57149,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":42007464.0,"flow_max":600487770,"flow_stddev":147104800.0,"c_to_s_min":3,"c_to_s_avg":38299748.0,"c_to_s_max":600484177,"c_to_s_stddev":140968944.0,"s_to_c_min":2,"s_to_c_avg":46509696.0,"s_to_c_max":600487770,"s_to_c_stddev":154107776.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":126.3,"c_to_s_max":305,"c_to_s_stddev":77.6,"s_to_c_min":66,"s_to_c_avg":214.3,"s_to_c_max":529,"s_to_c_stddev":140.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","packets-captured":289,"packets-processed":270,"total-skipped-flows":0,"total-l4-payload-len":36212,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1504181789350325} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1504181789350325,"flow_src_last_pkt_time":1504181789350325,"flow_dst_last_pkt_time":1504181789350325,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1504181789350325,"l3_proto":"ip4","src_ip":"192.168.58.1","dst_ip":"192.168.58.153","src_port":53460,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1504181789350325,"flow_dst_last_pkt_time":1504181789350325,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1504181789350325,"pkt":"AAwpvhIxAFBWwAAICABFAAA0dxlAAIAGjb\/AqDoBwKg6mdDUFGaBHPlXAAAAAIACIAD5dQAAAgQFtAEDAwgBAQQC"} diff --git a/test/results/kismet.pcap.out b/test/results/kismet.pcap.out index 0be2878da..83540c9c2 100644 --- a/test/results/kismet.pcap.out +++ b/test/results/kismet.pcap.out @@ -5,7 +5,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1144004385285325,"flow_dst_last_pkt_time":1144004385285353,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1144004385285353,"pkt":"AAAAAAAAAAAAAAAACABFAAA0AABAAIAG\/MF\/AAABfwAAAQnFhRGzPp6Js2uR14ASf\/+QygAAAgRADAEBBAIBAwMC"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1144004385285367,"flow_dst_last_pkt_time":1144004385285353,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1144004385285367,"pkt":"AAAAAAAAAAAAAAAACABFAAAoPIdAAIAGwEZ\/AAABfwAAAYURCcWza5HXsz6eilAQIABr7wAA"} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004385285367,"flow_dst_last_pkt_time":1144004385285561,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1144004385285561,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004397698680,"flow_dst_last_pkt_time":1144004398798485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1777,"midstream":0,"thread_ts_usec":1144004398798485,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":28,"flow_avg":38038008.0,"flow_max":1191289789,"flow_stddev":207130528.0,"c_to_s_min":42,"c_to_s_avg":75231448.0,"c_to_s_max":1191289789,"c_to_s_stddev":288165312.0,"s_to_c_min":28,"s_to_c_avg":844572.5,"s_to_c_max":1099849,"s_to_c_stddev":402430.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":120.1,"c_to_s_max":1099,"c_to_s_stddev":252.8,"s_to_c_min":54,"s_to_c_avg":165.8,"s_to_c_max":253,"s_to_c_stddev":53.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004397698680,"flow_dst_last_pkt_time":1144004398798485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1777,"midstream":0,"thread_ts_usec":1144004398798485,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":28,"flow_avg":836339.2,"flow_max":1099852,"flow_stddev":406205.2,"c_to_s_min":42,"c_to_s_avg":827557.0,"c_to_s_max":1099852,"c_to_s_stddev":410011.1,"s_to_c_min":28,"s_to_c_avg":844572.5,"s_to_c_max":1099849,"s_to_c_stddev":402430.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":120.1,"c_to_s_max":1099,"c_to_s_stddev":252.8,"s_to_c_min":54,"s_to_c_avg":165.8,"s_to_c_max":253,"s_to_c_stddev":53.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00907{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":35,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":17,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004399898338,"flow_dst_last_pkt_time":1144004399898316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1912,"midstream":0,"thread_ts_usec":1144004399898338,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00558{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":35,"source":"kismet.pcap","alias":"nDPId-test","packets-captured":35,"packets-processed":35,"total-skipped-flows":0,"total-l4-payload-len":2957,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1144004399898338} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121470/121470 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1363 chars -~~ json string avg len.......: 884 chars +~~ json string max len.......: 1347 chars +~~ json string avg len.......: 877 chars diff --git a/test/results/kontiki.pcap.out b/test/results/kontiki.pcap.out index 7101cd396..603367839 100644 --- a/test/results/kontiki.pcap.out +++ b/test/results/kontiki.pcap.out @@ -26,7 +26,7 @@ 00722{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1213662198701406,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1213662198701406,"l3_proto":"ip4","src_ip":"4.79.219.125","dst_ip":"10.25.32.59","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1213662198701406,"pkt":"ABVYKKDoANAreRD8CABFwAA4\/Y8AAPoBuFQET9t9ChkgOwsADhsAAAAARQAAIA+mAAABEaq1ChkgO0DIlFZN7CK4AAx2NA=="} 00847{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1213662198701406,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1213662198701406,"l3_proto":"ip4","src_ip":"4.79.219.125","dst_ip":"10.25.32.59","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}} -01494{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":41,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1213662198289578,"flow_src_last_pkt_time":1213662198988100,"flow_dst_last_pkt_time":1213662198992190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":217,"flow_dst_max_l4_payload_len":1241,"flow_src_tot_l4_payload_len":591,"flow_dst_tot_l4_payload_len":24254,"midstream":0,"thread_ts_usec":1213662198992190,"l3_proto":"ip4","src_ip":"10.25.32.59","dst_ip":"64.200.148.86","src_port":19948,"dst_port":8888,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":100815272.0,"flow_max":3224687514,"flow_stddev":561064064.0,"c_to_s_min":3074,"c_to_s_avg":322538592.0,"c_to_s_max":3224687514,"c_to_s_stddev":967382912.0,"s_to_c_min":13,"s_to_c_avg":31936.9,"s_to_c_max":607738,"s_to_c_stddev":125898.8},"pktlen": {"c_to_s_min":46,"c_to_s_avg":101.1,"c_to_s_max":259,"c_to_s_stddev":79.4,"s_to_c_min":70,"s_to_c_avg":1144.5,"s_to_c_max":1283,"s_to_c_stddev":355.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Kontiki","proto_id":"32","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":41,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1213662198289578,"flow_src_last_pkt_time":1213662198988100,"flow_dst_last_pkt_time":1213662198992190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":217,"flow_dst_max_l4_payload_len":1241,"flow_src_tot_l4_payload_len":591,"flow_dst_tot_l4_payload_len":24254,"midstream":0,"thread_ts_usec":1213662198992190,"l3_proto":"ip4","src_ip":"10.25.32.59","dst_ip":"64.200.148.86","src_port":19948,"dst_port":8888,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":45197.9,"flow_max":607738,"flow_stddev":118031.4,"c_to_s_min":3074,"c_to_s_avg":77613.6,"c_to_s_max":212422,"c_to_s_stddev":88088.6,"s_to_c_min":13,"s_to_c_avg":31936.9,"s_to_c_max":607738,"s_to_c_stddev":125898.8},"pktlen": {"c_to_s_min":46,"c_to_s_avg":101.1,"c_to_s_max":259,"c_to_s_stddev":79.4,"s_to_c_min":70,"s_to_c_avg":1144.5,"s_to_c_max":1283,"s_to_c_stddev":355.2}},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Kontiki","proto_id":"32","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1173,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1213662200284689,"flow_dst_last_pkt_time":1213662198298123,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1213662200284689,"pkt":"AAAMB6wIABVYKKDoCABFAAAwEAgAACARi0EKGSA7QMiUWE3sAFAAHLz5AgUiAE9LWIs\/euHNAAAE5AIEAQA="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1174,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1213662200285056,"flow_dst_last_pkt_time":1213662198298679,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1213662200285056,"pkt":"ABVYKKDoANABJAf8CABFAAA4wRIAAP8BpkIKGSADChkgOwMN8aAAAAAARQAAMBAIAAAfEYxBChkgO0DIlFhN7ABQABy8+Q=="} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2709,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1213662202284851,"flow_dst_last_pkt_time":1213662198298123,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1213662202284851,"pkt":"AAAMB6wIABVYKKDoCABFAAAwEJ8AACARiqoKGSA7QMiUWE3sAFAAHLz5AgUiAE9LWIs\/euHNAAAE5AIEAQA="} diff --git a/test/results/log4j-webapp-exploit.pcap.out b/test/results/log4j-webapp-exploit.pcap.out index 3cad88a05..a4165a053 100644 --- a/test/results/log4j-webapp-exploit.pcap.out +++ b/test/results/log4j-webapp-exploit.pcap.out @@ -28,7 +28,7 @@ 00345{"packet_event_id":1,"packet_event_name":"packet","packet_id":35,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"thread_ts_usec":1639425815944860,"pkt":"AAAAAQAGAkJ2jzQWAAAIBgABCAAGBAABAkJ2jzQWrBDuAQAAAAAAAKwQ7go="} 00200{"error_event_id":2,"error_event_name":"Unknown L3 protocol","datalink":113,"packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054,"global_ts_usec":1639425820869752} 00345{"packet_event_id":1,"packet_event_name":"packet","packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"thread_ts_usec":1639425815944860,"pkt":"AAQAAQAGAkKsEO4KAAAIBgABCAAGBAACAkKsEO4KrBDuCgJCdo80FqwQ7gE="} -01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":46,"flow_avg":460275.6,"flow_max":7288582,"flow_stddev":1763126.1,"c_to_s_min":47,"c_to_s_avg":434020.6,"c_to_s_max":7288582,"c_to_s_stddev":1713707.9,"s_to_c_min":46,"s_to_c_avg":490031.3,"s_to_c_max":7288581,"s_to_c_stddev":1817051.4},"pktlen": {"c_to_s_min":68,"c_to_s_avg":70.2,"c_to_s_max":76,"c_to_s_stddev":2.0,"s_to_c_min":68,"s_to_c_avg":68.7,"s_to_c_max":76,"s_to_c_stddev":2.1}}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":46,"flow_avg":474225.3,"flow_max":7288582,"flow_stddev":1789599.0,"c_to_s_min":47,"c_to_s_avg":459407.3,"c_to_s_max":7288582,"c_to_s_stddev":1763345.8,"s_to_c_min":46,"s_to_c_avg":490031.3,"s_to_c_max":7288581,"s_to_c_stddev":1817051.4},"pktlen": {"c_to_s_min":68,"c_to_s_avg":70.2,"c_to_s_max":76,"c_to_s_stddev":2.0,"s_to_c_min":68,"s_to_c_avg":68.7,"s_to_c_max":76,"s_to_c_stddev":2.1}}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1639425834628601,"flow_src_last_pkt_time":1639425834628601,"flow_dst_last_pkt_time":1639425834628601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639425834628601,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57742,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1639425834628601,"flow_dst_last_pkt_time":1639425834628601,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1639425834628601,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADxNdkAAQAa5DqwQ7gqsEO4L4Y4FbXfaWIQAAAAAoAJyEDRmAAACBAW0BAIICvIpXGkAAAAAAQMDBw=="} diff --git a/test/results/long_tls_certificate.pcap.out b/test/results/long_tls_certificate.pcap.out index af935cb20..1e8d7f9fd 100644 --- a/test/results/long_tls_certificate.pcap.out +++ b/test/results/long_tls_certificate.pcap.out @@ -7,7 +7,7 @@ 01074{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756181671657,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609756181681181,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01136{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756182035428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1609756182035428,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 05392{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182035731,"flow_dst_last_pkt_time":1609756182035821,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":6858,"midstream":0,"thread_ts_usec":1609756182035821,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}} -01228{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":76295560.0,"flow_max":2438759797,"flow_stddev":424311136.0,"c_to_s_min":4,"c_to_s_avg":143527744.0,"c_to_s_max":2438759797,"c_to_s_stddev":573808000.0,"s_to_c_min":6,"s_to_c_avg":99092.9,"s_to_c_max":370788,"s_to_c_stddev":135474.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":110.8,"c_to_s_max":571,"c_to_s_stddev":119.8,"s_to_c_min":60,"s_to_c_avg":695.0,"s_to_c_max":1506,"s_to_c_stddev":663.1}}} +01207{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":87039.9,"flow_max":370939,"flow_stddev":130477.0,"c_to_s_min":4,"c_to_s_avg":75740.2,"c_to_s_max":370939,"c_to_s_stddev":124557.0,"s_to_c_min":6,"s_to_c_avg":99092.9,"s_to_c_max":370788,"s_to_c_stddev":135474.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":110.8,"c_to_s_max":571,"c_to_s_stddev":119.8,"s_to_c_min":60,"s_to_c_avg":695.0,"s_to_c_max":1506,"s_to_c_stddev":663.1}}} 05394{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}} 01050{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756183156414,"flow_dst_last_pkt_time":1609756183162351,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1073,"flow_dst_tot_l4_payload_len":11027,"midstream":0,"thread_ts_usec":1609756183162351,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00573{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","packets-captured":47,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":12100,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1609756183162351} diff --git a/test/results/modbus.pcap.out b/test/results/modbus.pcap.out index f682ae7b4..282d1b78a 100644 --- a/test/results/modbus.pcap.out +++ b/test/results/modbus.pcap.out @@ -5,7 +5,7 @@ 00868{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541953927963,"flow_dst_last_pkt_time":1223541953927963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1223541953927963,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1223541953927963,"flow_dst_last_pkt_time":1223541953929098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1223541953929098,"pkt":"AArkxYMKABzAX0kKCABFAAAzO9pAAIAGYIzAqG6KwKhugwH2CBrhFTrOQdLq0lAY++v\/BAAAANEAAAAFAQMCAAA="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1223541953929171,"flow_dst_last_pkt_time":1223541953929098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1223541953929171,"pkt":"ABzAX0kKAArkxYMKCABFAAA0i\/5AAIAGEGfAqG6DwKhuiggaAfZB0urS4RU62VAY\/LsAJgAAANIAAAAGAQMAAAAB"} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541960939284,"flow_dst_last_pkt_time":1223541960940128,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":176,"midstream":1,"thread_ts_usec":1223541960940128,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":835,"flow_avg":8581290.0,"flow_max":260577803,"flow_stddev":45262556.0,"c_to_s_min":1173,"c_to_s_avg":16724320.0,"c_to_s_max":260577803,"c_to_s_stddev":62964548.0,"s_to_c_min":835,"s_to_c_avg":438260.3,"s_to_c_max":1014211,"s_to_c_stddev":495917.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":66.0,"c_to_s_max":66,"c_to_s_stddev":0.0,"s_to_c_min":65,"s_to_c_avg":65.0,"s_to_c_max":65,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541960939284,"flow_dst_last_pkt_time":1223541960940128,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":176,"midstream":1,"thread_ts_usec":1223541960940128,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":835,"flow_avg":452370.5,"flow_max":1014211,"flow_stddev":497296.8,"c_to_s_min":1173,"c_to_s_avg":467421.4,"c_to_s_max":1013603,"c_to_s_stddev":498324.1,"s_to_c_min":835,"s_to_c_avg":438260.3,"s_to_c_max":1014211,"s_to_c_stddev":495917.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":66.0,"c_to_s_max":66,"c_to_s_stddev":0.0,"s_to_c_min":65,"s_to_c_avg":65.0,"s_to_c_max":65,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00915{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":102,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":51,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541977036283,"flow_dst_last_pkt_time":1223541977037227,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":612,"flow_dst_tot_l4_payload_len":561,"midstream":1,"thread_ts_usec":1223541977037227,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":102,"source":"modbus.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":102,"total-skipped-flows":0,"total-l4-payload-len":1173,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1223541977037227} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121536/121536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1361 chars -~~ json string avg len.......: 886 chars +~~ json string max len.......: 1350 chars +~~ json string avg len.......: 881 chars diff --git a/test/results/monero.pcap.out b/test/results/monero.pcap.out index 62c900b6b..0965b289f 100644 --- a/test/results/monero.pcap.out +++ b/test/results/monero.pcap.out @@ -10,8 +10,8 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1514196196437568,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1514196196745688,"pkt":"cIXCQ0+ifmgbW\/gUCABFAAA0AABAACEGefF006fDwKgClA0F0lYVgl9O8ygDlIASchDSRAAAAgQFpAEBBAIBAwMH"} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1514196196745729,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1514196196745729,"pkt":"fmgbW\/gUcIXCQ0+iCABFAAAoltdAAEAGxCXAqAKUdNOnw9JWDQXzKAOUFYJfT1AQAOWEMgAA"} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196196745906,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":98,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":98,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1514196196745906,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01601{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514196304559034,"flow_dst_last_pkt_time":1514196304640605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":8887,"flow_dst_tot_l4_payload_len":914,"midstream":0,"thread_ts_usec":1514196304640605,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":43927400.0,"flow_max":1173178156,"flow_stddev":203645168.0,"c_to_s_min":101,"c_to_s_avg":75846272.0,"c_to_s_max":1173178156,"c_to_s_stddev":274909856.0,"s_to_c_min":13,"s_to_c_avg":7752672.0,"s_to_c_max":71693099,"s_to_c_stddev":18889344.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":589.2,"c_to_s_max":1514,"c_to_s_stddev":677.1,"s_to_c_min":66,"s_to_c_avg":127.5,"s_to_c_max":376,"s_to_c_stddev":102.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196705571136,"flow_dst_last_pkt_time":1514196705879789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":2699,"midstream":0,"thread_ts_usec":1514196705879789,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":32075564.0,"flow_max":170525395,"flow_stddev":51154344.0,"c_to_s_min":83,"c_to_s_avg":30410342.0,"c_to_s_max":170525395,"c_to_s_stddev":50076204.0,"s_to_c_min":11,"s_to_c_avg":33962812.0,"s_to_c_max":170525387,"s_to_c_stddev":52285332.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":239.1,"c_to_s_max":1498,"c_to_s_stddev":458.6,"s_to_c_min":60,"s_to_c_avg":235.9,"s_to_c_max":364,"s_to_c_stddev":139.5}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514196304559034,"flow_dst_last_pkt_time":1514196304640605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":8887,"flow_dst_tot_l4_payload_len":914,"midstream":0,"thread_ts_usec":1514196304640605,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":7499954.5,"flow_max":71693099,"flow_stddev":18613570.0,"c_to_s_min":101,"c_to_s_avg":7263032.0,"c_to_s_max":71569648,"c_to_s_stddev":18348106.0,"s_to_c_min":13,"s_to_c_avg":7752672.0,"s_to_c_max":71693099,"s_to_c_stddev":18889344.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":589.2,"c_to_s_max":1514,"c_to_s_stddev":677.1,"s_to_c_min":66,"s_to_c_avg":127.5,"s_to_c_max":376,"s_to_c_stddev":102.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196705571136,"flow_dst_last_pkt_time":1514196705879789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":2699,"midstream":0,"thread_ts_usec":1514196705879789,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":32857284.0,"flow_max":170525395,"flow_stddev":51784400.0,"c_to_s_min":83,"c_to_s_avg":31820848.0,"c_to_s_max":170525395,"c_to_s_stddev":51288696.0,"s_to_c_min":11,"s_to_c_avg":33962812.0,"s_to_c_max":170525387,"s_to_c_stddev":52285332.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":239.1,"c_to_s_max":1498,"c_to_s_stddev":458.6,"s_to_c_min":60,"s_to_c_avg":235.9,"s_to_c_max":364,"s_to_c_stddev":139.5}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":199,"source":"monero.pcap","alias":"nDPId-test","packets-captured":199,"packets-processed":198,"total-skipped-flows":0,"total-l4-payload-len":82647,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1514196819733875} 01148{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":319,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514197261597871,"flow_dst_last_pkt_time":1514197261597824,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":4584,"midstream":0,"thread_ts_usec":1514197279769698,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01150{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":319,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":159,"flow_dst_packets_processed":113,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514197279769698,"flow_dst_last_pkt_time":1514197279769664,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":132641,"flow_dst_tot_l4_payload_len":5738,"midstream":0,"thread_ts_usec":1514197279769698,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} diff --git a/test/results/nest_log_sink.pcap.out b/test/results/nest_log_sink.pcap.out index 73431f8a4..1d8eeed12 100644 --- a/test/results/nest_log_sink.pcap.out +++ b/test/results/nest_log_sink.pcap.out @@ -5,7 +5,7 @@ 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1536712992228658,"flow_dst_last_pkt_time":1536712992289465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1536712992289465,"pkt":"GLQwJjRAAJD7JidrCABFAAAoNpRAAC0G7egjrlLtwKjyDytX92zEgGGFCKi\/QFAQgdDz\/QAA"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1536713052295189,"flow_dst_last_pkt_time":1536712992289465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536713052295189,"pkt":"AJD7JidrGLQwJjRACABFAAAoL2MAAP8GYxnAqPIPI65S7fdsK1cIqL8\/xIBhhVAQD+Vl6gAAAAAAAAAA"} 00559{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":51,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":51,"packets-processed":30,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":7,"global_ts_usec":1536713593921755} -01223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":60807,"flow_avg":20842814.0,"flow_max":3758490658,"flow_stddev":665778496.0,"c_to_s_min":204086,"c_to_s_avg":4076028.8,"c_to_s_max":3758490658,"c_to_s_stddev":940809664.0,"s_to_c_min":60807,"s_to_c_avg":37609600.0,"s_to_c_max":60122070,"s_to_c_stddev":28927976.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":60.0,"c_to_s_max":60,"c_to_s_stddev":0.0,"s_to_c_min":54,"s_to_c_avg":54.0,"s_to_c_max":54,"s_to_c_stddev":0.0}}} +01218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":60807,"flow_avg":38820860.0,"flow_max":60122070,"flow_stddev":28558074.0,"c_to_s_min":204086,"c_to_s_avg":40112876.0,"c_to_s_max":60071977,"c_to_s_stddev":28100662.0,"s_to_c_min":60807,"s_to_c_avg":37609600.0,"s_to_c_max":60122070,"s_to_c_stddev":28927976.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":60.0,"c_to_s_max":60,"c_to_s_stddev":0.0,"s_to_c_min":54,"s_to_c_avg":54.0,"s_to_c_max":54,"s_to_c_stddev":0.0}}} 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":101,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":101,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1536714195599741} @@ -19,7 +19,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1536714602612148,"flow_dst_last_pkt_time":1536714602681891,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536714602681891,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX927RT8zNCL8kJGASbvDKWAAAAgQFjA=="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1536714602684345,"flow_dst_last_pkt_time":1536714602681891,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536714602684345,"pkt":"AJD7JidrGLQwJjRACABFAAAoL4sAAP8GGxbAqPIPI7yauvduK1cIvyQk0U\/MzlAQEgA+3gAAAAAAAAAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714604778211,"flow_dst_last_pkt_time":1536714603395466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":583,"flow_dst_tot_l4_payload_len":679,"midstream":0,"thread_ts_usec":1536714604778211,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01364{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714605710820,"flow_dst_last_pkt_time":1536714605694468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5203,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536714605710820,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":55,"flow_avg":193932.5,"flow_max":1490586,"flow_stddev":349421.3,"c_to_s_min":8456,"c_to_s_avg":183736.5,"c_to_s_max":1347393,"c_to_s_stddev":320189.2,"s_to_c_min":55,"s_to_c_avg":205488.0,"s_to_c_max":1490586,"s_to_c_stddev":379510.1},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.5,"c_to_s_max":585,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":733,"s_to_c_stddev":161.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01364{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714605710820,"flow_dst_last_pkt_time":1536714605694468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5203,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536714605710820,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":55,"flow_avg":199386.8,"flow_max":1490586,"flow_stddev":353669.1,"c_to_s_min":8456,"c_to_s_avg":193667.0,"c_to_s_max":1347393,"c_to_s_stddev":327493.9,"s_to_c_min":55,"s_to_c_avg":205488.0,"s_to_c_max":1490586,"s_to_c_stddev":379510.1},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.5,"c_to_s_max":585,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":733,"s_to_c_stddev":161.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714602587655,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1536714607328073,"pkt":"AJD7JidrGLQwJjRACABFAABXL7IAAP8RJoHAqPIPwKjyAc5xADUAQyQGbMYBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":214,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714607530778,"flow_dst_last_pkt_time":1536714607530778,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536714607530778,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1536714607530778,"flow_dst_last_pkt_time":1536714607530778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536714607530778,"pkt":"AJD7JidrGLQwJjRACABFAAAsL7MAAP8GYsXAqPIPI65S7fdvK1cIymiPAAAAAGACEgDJ5gAAAgQEgAAA"} @@ -31,7 +31,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1536714610253460,"flow_dst_last_pkt_time":1536714610314466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536714610314466,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93Bcs3xVCNWtCGASbvAGcQAAAgQFjA=="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1536714610318069,"flow_dst_last_pkt_time":1536714610314466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536714610318069,"pkt":"AJD7JidrGLQwJjRACABFAAAoL78AAP8GGuLAqPIPI7yauvdwK1cI1a0IXLN8VlAQEgB69gAAAAAAAAAA"} 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":3,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615108363,"flow_dst_last_pkt_time":1536714613730371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536714615108363,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01380{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":270,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714735302616,"flow_dst_last_pkt_time":1536714735750574,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536714735750574,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7081,"flow_avg":8154211.0,"flow_max":60077555,"flow_stddev":19593322.0,"c_to_s_min":7081,"c_to_s_avg":7806762.5,"c_to_s_max":60063791,"c_to_s_stddev":19052326.0,"s_to_c_min":16458,"s_to_c_avg":8547986.0,"s_to_c_max":60077555,"s_to_c_stddev":20181708.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":171.4,"c_to_s_max":585,"c_to_s_stddev":155.6,"s_to_c_min":54,"s_to_c_avg":192.0,"s_to_c_max":731,"s_to_c_stddev":212.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01380{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":270,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714735302616,"flow_dst_last_pkt_time":1536714735750574,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536714735750574,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7081,"flow_avg":8257794.5,"flow_max":60077555,"flow_stddev":19898212.0,"c_to_s_min":7081,"c_to_s_avg":7985740.0,"c_to_s_max":60063791,"c_to_s_stddev":19624818.0,"s_to_c_min":16458,"s_to_c_avg":8547986.0,"s_to_c_max":60077555,"s_to_c_stddev":20181708.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":171.4,"c_to_s_max":585,"c_to_s_stddev":155.6,"s_to_c_min":54,"s_to_c_avg":192.0,"s_to_c_max":731,"s_to_c_stddev":212.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00939{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":42,"flow_dst_packets_processed":41,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536714607325706,"flow_dst_last_pkt_time":1536714607385830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":62,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":62,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":35,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714607322501,"flow_dst_last_pkt_time":1536714607319686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":12610,"flow_dst_tot_l4_payload_len":2221,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":10,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615546363,"flow_dst_last_pkt_time":1536714615544009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -49,7 +49,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":409,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1536716402828004,"flow_dst_last_pkt_time":1536716402889007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536716402889007,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93El8kNOCOENtmASbvAVfwAAAgQFjA=="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":410,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1536716402894336,"flow_dst_last_pkt_time":1536716402889007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536716402894336,"pkt":"AJD7JidrGLQwJjRACABFAAAoL\/kAAP8GGqjAqPIPI7yauvdxK1cI4Q22JfJDT1AQEgCKBAAAAAAAAAAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":415,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716404974579,"flow_dst_last_pkt_time":1536716403590967,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536716404974579,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716405720045,"flow_dst_last_pkt_time":1536716405705936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536716405720045,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":33,"flow_avg":181037.9,"flow_max":1477502,"flow_stddev":333740.5,"c_to_s_min":11824,"c_to_s_avg":171487.1,"c_to_s_max":1166948,"c_to_s_stddev":286996.1,"s_to_c_min":33,"s_to_c_avg":191862.1,"s_to_c_max":1477502,"s_to_c_stddev":379535.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.4,"c_to_s_max":584,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":732,"s_to_c_stddev":161.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716405720045,"flow_dst_last_pkt_time":1536716405705936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536716405720045,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":33,"flow_avg":186128.2,"flow_max":1477502,"flow_stddev":337855.8,"c_to_s_min":11824,"c_to_s_avg":180752.6,"c_to_s_max":1166948,"c_to_s_stddev":293351.7,"s_to_c_min":33,"s_to_c_avg":191862.1,"s_to_c_max":1477502,"s_to_c_stddev":379535.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.4,"c_to_s_max":584,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":732,"s_to_c_stddev":161.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":483,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716402805070,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1536716407003782,"pkt":"AJD7JidrGLQwJjRACABFAABXMB8AAP8RJhTAqPIPwKjyAc5xADUAQ16pMiMBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":486,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716407119984,"flow_dst_last_pkt_time":1536716407119984,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536716407119984,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1536716407119984,"flow_dst_last_pkt_time":1536716407119984,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536716407119984,"pkt":"AJD7JidrGLQwJjRACABFAAAsMCAAAP8GYljAqPIPI65S7fdyK1cI7G5zAAAAAGACEgDD3QAAAgQEgAAA"} @@ -64,7 +64,7 @@ 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":60,"flow_dst_packets_processed":56,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536716407001445,"flow_dst_last_pkt_time":1536716407068096,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":2003,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":36,"flow_dst_packets_processed":35,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716406969810,"flow_dst_last_pkt_time":1536716406967430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":12633,"flow_dst_tot_l4_payload_len":2220,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1536716409847406,"flow_src_last_pkt_time":1536716412657238,"flow_dst_last_pkt_time":1536716412651629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":1413,"flow_dst_tot_l4_payload_len":846,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63347,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01381{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6654,"flow_avg":9858694.0,"flow_max":60065954,"flow_stddev":21521158.0,"c_to_s_min":6654,"c_to_s_avg":10539383.0,"c_to_s_max":60065954,"c_to_s_stddev":22034862.0,"s_to_c_min":15391,"s_to_c_avg":8983523.0,"s_to_c_max":60063694,"s_to_c_stddev":20809396.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":165.2,"c_to_s_max":585,"c_to_s_stddev":153.3,"s_to_c_min":54,"s_to_c_avg":190.4,"s_to_c_max":731,"s_to_c_stddev":219.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6654,"flow_avg":10037526.0,"flow_max":60065954,"flow_stddev":21842106.0,"c_to_s_min":6654,"c_to_s_avg":10905528.0,"c_to_s_max":60065954,"c_to_s_stddev":22620408.0,"s_to_c_min":15391,"s_to_c_avg":8983523.0,"s_to_c_max":60063694,"s_to_c_stddev":20809396.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":165.2,"c_to_s_max":585,"c_to_s_stddev":153.3,"s_to_c_min":54,"s_to_c_avg":190.4,"s_to_c_max":731,"s_to_c_stddev":219.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":547,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716592575967,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":547,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":547,"packets-processed":424,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":0,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":69,"global_ts_usec":1536716652586979} 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":595,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":595,"packets-processed":452,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":0,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":70,"global_ts_usec":1536717254253428} @@ -79,7 +79,7 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":615,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1536717428089363,"flow_dst_last_pkt_time":1536717428146200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536717428146200,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93SD5IA7CQNADmASbvBIIgAAAgQFjA=="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":616,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1536717428152738,"flow_dst_last_pkt_time":1536717428146200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536717428152738,"pkt":"AJD7JidrGLQwJjRACABFAAAoMFIAAP8GGk\/AqPIPI7yauvd0K1cJA0AOg+SAPFAQEgC8pwAAAAAAAAAA"} 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":621,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430226245,"flow_dst_last_pkt_time":1536717428843719,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536717430226245,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01366{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":645,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430971296,"flow_dst_last_pkt_time":1536717430957587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536717430971296,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":41,"flow_avg":183676.2,"flow_max":1475007,"flow_stddev":331969.6,"c_to_s_min":10769,"c_to_s_avg":177024.3,"c_to_s_max":1167126,"c_to_s_stddev":284290.8,"s_to_c_min":41,"s_to_c_avg":191214.9,"s_to_c_max":1475007,"s_to_c_stddev":378678.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.4,"c_to_s_max":584,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":732,"s_to_c_stddev":161.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01366{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":645,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430971296,"flow_dst_last_pkt_time":1536717430957587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536717430971296,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":41,"flow_avg":185488.9,"flow_max":1475007,"flow_stddev":337125.5,"c_to_s_min":10769,"c_to_s_avg":180120.8,"c_to_s_max":1167126,"c_to_s_stddev":292762.1,"s_to_c_min":41,"s_to_c_avg":191214.9,"s_to_c_max":1475007,"s_to_c_stddev":378678.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.4,"c_to_s_max":584,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":732,"s_to_c_stddev":161.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450091191,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536717450091191,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450091191,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536717450091191,"pkt":"AJD7JidrGLQwJjRACABFAAAsMG8AAP8GYgnAqPIPI65S7fd1K1cJDrE1AAAAAGACEgCA9gAAAgQEgAAA"} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":675,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450156309,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536717450156309,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93XProMNCQ6xNmASaQPV8QAAAgQFtA=="} @@ -88,7 +88,7 @@ 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":707,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":37,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536717449932250,"flow_dst_last_pkt_time":1536717449999275,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":2003,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":707,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":24,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717431514012,"flow_dst_last_pkt_time":1536717431511560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":7728,"flow_dst_tot_l4_payload_len":1615,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":711,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717632764427,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01384{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4297,"flow_avg":15865576.0,"flow_max":60116188,"flow_stddev":25753908.0,"c_to_s_min":4297,"c_to_s_avg":15572050.0,"c_to_s_max":60108066,"c_to_s_stddev":25147510.0,"s_to_c_min":14503,"s_to_c_avg":16198239.0,"s_to_c_max":60116188,"s_to_c_stddev":26420398.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":149.3,"c_to_s_max":584,"c_to_s_stddev":140.6,"s_to_c_min":54,"s_to_c_avg":170.3,"s_to_c_max":732,"s_to_c_stddev":217.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01384{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4297,"flow_avg":15667489.0,"flow_max":60116188,"flow_stddev":26141992.0,"c_to_s_min":4297,"c_to_s_avg":15169911.0,"c_to_s_max":60108066,"c_to_s_stddev":25868378.0,"s_to_c_min":14503,"s_to_c_avg":16198239.0,"s_to_c_max":60116188,"s_to_c_stddev":26420398.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":149.3,"c_to_s_max":584,"c_to_s_stddev":140.6,"s_to_c_min":54,"s_to_c_avg":170.3,"s_to_c_max":732,"s_to_c_stddev":217.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00570{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":727,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":727,"packets-processed":562,"total-skipped-flows":0,"total-l4-payload-len":56297,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":12,"total-detection-updates":3,"total-updates":0,"current-active-flows":1,"total-active-flows":12,"total-idle-flows":11,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":92,"global_ts_usec":1536717873194026} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":745,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718052990525,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":745,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718052990525,"pkt":"AJD7JidrGLQwJjRACABFAAAsMIsAAP8GYe3AqPIPI65S7fd2K1cJGivXAAAAAGACEgAGSAAAAgQEgAAA"} @@ -106,10 +106,10 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":782,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1536718202984094,"flow_dst_last_pkt_time":1536718203039605,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718203039605,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93fElurmCSWo1mASbvAz1wAAAgQFjA=="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":783,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1536718203042198,"flow_dst_last_pkt_time":1536718203039605,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536718203042198,"pkt":"AJD7JidrGLQwJjRACABFAAAoMJwAAP8GGgXAqPIPI7yauvd3K1cJJajWxJbq51AQEgCoXAAAAAAAAAAA"} 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":788,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205132060,"flow_dst_last_pkt_time":1536718203746505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":679,"midstream":0,"thread_ts_usec":1536718205132060,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":812,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205917650,"flow_dst_last_pkt_time":1536718205903699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536718205917650,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":183676.5,"flow_max":1484002,"flow_stddev":348476.3,"c_to_s_min":5185,"c_to_s_avg":174002.6,"c_to_s_max":1319785,"c_to_s_stddev":317317.0,"s_to_c_min":34,"s_to_c_avg":194640.3,"s_to_c_max":1484002,"s_to_c_stddev":380422.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.4,"c_to_s_max":584,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":733,"s_to_c_stddev":161.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":812,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205917650,"flow_dst_last_pkt_time":1536718205903699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536718205917650,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":188811.6,"flow_max":1484002,"flow_stddev":352858.6,"c_to_s_min":5185,"c_to_s_avg":183347.2,"c_to_s_max":1319785,"c_to_s_stddev":324805.6,"s_to_c_min":34,"s_to_c_avg":194640.3,"s_to_c_max":1484002,"s_to_c_stddev":380422.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":361.4,"c_to_s_max":584,"c_to_s_stddev":210.4,"s_to_c_min":54,"s_to_c_avg":136.3,"s_to_c_max":733,"s_to_c_stddev":161.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206572751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718206572751,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206572751,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718206572751,"pkt":"AJD7JidrGLQwJjRACABFAAAsMLcAAP8GYcHAqPIPI65S7fd4K1cJMSXhAAAAAGACEgAMJQAAAgQEgAAA"} -01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":835,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718206634864,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1252,"flow_avg":9600870.0,"flow_max":60155801,"flow_stddev":20436384.0,"c_to_s_min":1252,"c_to_s_avg":8532417.0,"c_to_s_max":60124304,"c_to_s_stddev":19487700.0,"s_to_c_min":15937,"s_to_c_avg":10974595.0,"s_to_c_max":60155801,"s_to_c_stddev":21517152.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":147.5,"c_to_s_max":585,"c_to_s_stddev":137.0,"s_to_c_min":54,"s_to_c_avg":178.5,"s_to_c_max":731,"s_to_c_stddev":222.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":835,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718206634864,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1252,"flow_avg":9910454.0,"flow_max":60155801,"flow_stddev":20689402.0,"c_to_s_min":1252,"c_to_s_avg":9034102.0,"c_to_s_max":60124304,"c_to_s_stddev":19939396.0,"s_to_c_min":15937,"s_to_c_avg":10974595.0,"s_to_c_max":60155801,"s_to_c_stddev":21517152.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":147.5,"c_to_s_max":585,"c_to_s_stddev":137.0,"s_to_c_min":54,"s_to_c_avg":178.5,"s_to_c_max":731,"s_to_c_stddev":222.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":836,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206638073,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718206638073,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93jm8XvxCTEl4mASaQNQ+QAAAgQFtA=="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":837,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1536718206640512,"flow_dst_last_pkt_time":1536718206638073,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536718206640512,"pkt":"AJD7JidrGLQwJjRACABFAAAoMLgAAP8GYcTAqPIPI65S7fd4K1cJMSXi5vF78lAQEgC\/uQAAAAAAAAAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":844,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718208745973,"flow_dst_last_pkt_time":1536718207366595,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":584,"flow_dst_tot_l4_payload_len":676,"midstream":0,"thread_ts_usec":1536718208745973,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -121,7 +121,7 @@ 00926{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":24,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718206546300,"flow_dst_last_pkt_time":1536718206542604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":7843,"flow_dst_tot_l4_payload_len":1616,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00926{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1536718209313555,"flow_src_last_pkt_time":1536718211968199,"flow_dst_last_pkt_time":1536718211965770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1413,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63353,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3754,"flow_avg":9731052.0,"flow_max":60173109,"flow_stddev":21678296.0,"c_to_s_min":3754,"c_to_s_avg":10319559.0,"c_to_s_max":60173109,"c_to_s_stddev":22263304.0,"s_to_c_min":17976,"s_to_c_avg":8974399.0,"s_to_c_max":60107028,"s_to_c_stddev":20877736.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":165.2,"c_to_s_max":586,"c_to_s_stddev":153.5,"s_to_c_min":54,"s_to_c_avg":190.3,"s_to_c_max":730,"s_to_c_stddev":219.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4658,"flow_avg":10044835.0,"flow_max":60173109,"flow_stddev":21953530.0,"c_to_s_min":4658,"c_to_s_avg":10926372.0,"c_to_s_max":60173109,"c_to_s_stddev":22763632.0,"s_to_c_min":17976,"s_to_c_avg":8974399.0,"s_to_c_max":60107028,"s_to_c_stddev":20877736.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":165.2,"c_to_s_max":586,"c_to_s_stddev":153.5,"s_to_c_min":54,"s_to_c_avg":190.3,"s_to_c_max":730,"s_to_c_stddev":219.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00909{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":896,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718392405835,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":900,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":900,"packets-processed":713,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":126,"global_ts_usec":1536718512170528} 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":950,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":950,"packets-processed":743,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":127,"global_ts_usec":1536719113902134} diff --git a/test/results/netbios.pcap.out b/test/results/netbios.pcap.out index a68d62f7b..86e637142 100644 --- a/test/results/netbios.pcap.out +++ b/test/results/netbios.pcap.out @@ -16,7 +16,7 @@ 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":28,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772216537634,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1447772216537634,"l3_proto":"ip4","src_ip":"10.0.4.24","dst_ip":"10.0.4.131","src_port":139,"dst_port":1398,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537634,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1447772216537634,"pkt":"ABj+bLz3ABzEEHkPCABFAAApQatAAIAGnIkKAAQYCgAEgwCLBXatXRk68Re6KFAQ96kjtgAAAAAAAAAA"} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537735,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1447772216537735,"pkt":"ABzEEHkPABj+bLz3CABFAAAoY6dAAIAGeo4KAASDCgAEGAV2AIvxF7oorV0ZO1AQ+ycgOAAAAAAAAAAA"} -01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"netbios.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772210350540,"flow_src_last_pkt_time":1447772220435262,"flow_dst_last_pkt_time":1447772210350540,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772220435262,"l3_proto":"ip4","src_ip":"10.0.4.131","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14022,"flow_avg":99045712.0,"flow_max":3159378108,"flow_stddev":549651968.0,"c_to_s_min":14022,"c_to_s_avg":99045712.0,"c_to_s_max":3159378108,"c_to_s_stddev":549651968.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":92,"c_to_s_avg":92.0,"c_to_s_max":92,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01309{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"netbios.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772210350540,"flow_src_last_pkt_time":1447772220435262,"flow_dst_last_pkt_time":1447772210350540,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772220435262,"l3_proto":"ip4","src_ip":"10.0.4.131","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14022,"flow_avg":325313.6,"flow_max":749995,"flow_stddev":214669.9,"c_to_s_min":14022,"c_to_s_avg":325313.6,"c_to_s_max":749995,"c_to_s_stddev":214669.9,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":92,"c_to_s_avg":92.0,"c_to_s_max":92,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772221776592,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772221776592,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57836,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772221776592,"pkt":"ABzEEHkPACFislxDCABFAABOBFAAAH8RHeEKAAFXCgAEGOHsAIkAOqS0IKgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772221776592,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772221776592,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57836,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"*"}} @@ -50,7 +50,7 @@ 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"netbios.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1447772238721634,"flow_dst_last_pkt_time":1447772238721634,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772238721634,"pkt":"\/\/\/\/\/\/\/\/EGBLoLzrCABFAABOP6wAAIAR3OYKAAQOCgAF\/wCJAIkAOtzbuxABEAABAAAAAAAAIEVIRkZGQ0ZGQ0FDQUNBQ0FDQUNBQ0FDQUNBQ0FDQUFBAAAgAAE="} 00875{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":132,"source":"netbios.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772238721634,"flow_src_last_pkt_time":1447772238721634,"flow_dst_last_pkt_time":1447772238721634,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772238721634,"l3_proto":"ip4","src_ip":"10.0.4.14","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"guru"}} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"netbios.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1447772239929129,"flow_dst_last_pkt_time":1447772221882535,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772239929129,"pkt":"\/\/\/\/\/\/\/\/AOCBdSQGCABFAABOZPwAAIARtz8KAARlCgAF\/wCJAIkAOvRglzYBEAABAAAAAAAAIEVPRkdGQ0RKQ0FDQUNBQ0FDQUNBQ0FDQUNBQ0FDQUFBAAAgAAE="} -01314{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":144,"source":"netbios.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772211392771,"flow_src_last_pkt_time":1447772242251393,"flow_dst_last_pkt_time":1447772211392771,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772242251393,"l3_proto":"ip4","src_ip":"10.0.5.233","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":556935,"flow_avg":981736.1,"flow_max":1515990,"flow_stddev":358669.5,"c_to_s_min":556935,"c_to_s_avg":981736.1,"c_to_s_max":1515990,"c_to_s_stddev":358669.5,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":92,"c_to_s_avg":92.0,"c_to_s_max":92,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01314{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":144,"source":"netbios.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772211392771,"flow_src_last_pkt_time":1447772242251393,"flow_dst_last_pkt_time":1447772211392771,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772242251393,"l3_proto":"ip4","src_ip":"10.0.5.233","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":749128,"flow_avg":995439.4,"flow_max":1515990,"flow_stddev":356068.3,"c_to_s_min":749128,"c_to_s_avg":995439.4,"c_to_s_max":1515990,"c_to_s_stddev":356068.3,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":92,"c_to_s_avg":92.0,"c_to_s_max":92,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":173,"source":"netbios.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1447772248480903,"flow_dst_last_pkt_time":1447772238479218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772248480903,"pkt":"ABzEEHkPAOCBt8asCABFAABORZkAAIAR1wUKAAXpCgAEGACJAIkAOgf2mjgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"netbios.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772251795162,"flow_src_last_pkt_time":1447772251795162,"flow_dst_last_pkt_time":1447772251795162,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772251795162,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57921,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"netbios.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1447772251795162,"flow_dst_last_pkt_time":1447772251795162,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772251795162,"pkt":"ABzEEHkPACFislxDCABFAABOJRwAAH8R\/RQKAAFXCgAEGOJBAIkAOqRfIKgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="} @@ -86,5 +86,5 @@ ~~ total allocations/frees...: 121826/121826 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 478 chars -~~ json string max len.......: 1332 chars -~~ json string avg len.......: 905 chars +~~ json string max len.......: 1319 chars +~~ json string avg len.......: 897 chars diff --git a/test/results/netflix.pcap.out b/test/results/netflix.pcap.out index 7a6e75d1d..e24b582c7 100644 --- a/test/results/netflix.pcap.out +++ b/test/results/netflix.pcap.out @@ -48,8 +48,8 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1484319033259678,"flow_dst_last_pkt_time":1484319033258390,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319033259678,"pkt":"gCqoTGHM5JjWH70UCABFAAA0m4FAAEAG5U7AqAEHNCDEJM99AbszkZRh0pqER4AQEBVneAAAAQEICh9kuYW2m8Wo"} 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319033206431,"flow_src_last_pkt_time":1484319033261891,"flow_dst_last_pkt_time":1484319033258390,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319033261891,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":103,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319033206431,"flow_src_last_pkt_time":1484319033261891,"flow_dst_last_pkt_time":1484319033312558,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319033312558,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01460{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319032888907,"flow_src_last_pkt_time":1484319033506287,"flow_dst_last_pkt_time":1484319033504279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":5139,"midstream":0,"thread_ts_usec":1484319033506287,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":38709.7,"flow_max":363670,"flow_stddev":80776.7,"c_to_s_min":137,"c_to_s_avg":34629.9,"c_to_s_max":310931,"c_to_s_stddev":70953.4,"s_to_c_min":72,"s_to_c_avg":43955.1,"s_to_c_max":363670,"s_to_c_stddev":91609.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":159.2,"c_to_s_max":422,"c_to_s_stddev":137.4,"s_to_c_min":66,"s_to_c_avg":433.6,"s_to_c_max":1514,"s_to_c_stddev":541.5}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":191,"flow_avg":35033.2,"flow_max":199917,"flow_stddev":46845.9,"c_to_s_min":191,"c_to_s_avg":32548.5,"c_to_s_max":141147,"c_to_s_stddev":43557.2,"s_to_c_min":234,"s_to_c_avg":37849.3,"s_to_c_max":199917,"s_to_c_stddev":50165.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":324.4,"c_to_s_max":1514,"c_to_s_stddev":464.0,"s_to_c_min":66,"s_to_c_avg":581.3,"s_to_c_max":1514,"s_to_c_stddev":619.4}}} +01460{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319032888907,"flow_src_last_pkt_time":1484319033506287,"flow_dst_last_pkt_time":1484319033504279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":5139,"midstream":0,"thread_ts_usec":1484319033506287,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":39766.2,"flow_max":363670,"flow_stddev":81851.3,"c_to_s_min":137,"c_to_s_avg":36316.5,"c_to_s_max":310931,"c_to_s_stddev":72658.9,"s_to_c_min":72,"s_to_c_avg":43955.1,"s_to_c_max":363670,"s_to_c_stddev":91609.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":159.2,"c_to_s_max":422,"c_to_s_stddev":137.4,"s_to_c_min":66,"s_to_c_avg":433.6,"s_to_c_max":1514,"s_to_c_stddev":541.5}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} +01198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":191,"flow_avg":34820.4,"flow_max":199917,"flow_stddev":47580.3,"c_to_s_min":191,"c_to_s_avg":31980.9,"c_to_s_max":141147,"c_to_s_stddev":44836.7,"s_to_c_min":234,"s_to_c_avg":37849.3,"s_to_c_max":199917,"s_to_c_stddev":50165.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":324.4,"c_to_s_max":1514,"c_to_s_stddev":464.0,"s_to_c_min":66,"s_to_c_avg":581.3,"s_to_c_max":1514,"s_to_c_stddev":619.4}}} 01731{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":143,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319033631945,"flow_dst_last_pkt_time":1484319033631945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319033631945,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":143,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1484319033631945,"flow_dst_last_pkt_time":1484319033631945,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319033631945,"pkt":"gCqoTGHM5JjWH70UCABFAABAVMpAAEAGIQjAqAEHNkXM8c9+AbvPvqpAAAAAALAC\/\/9MiwAAAgQFtAEDAwUBAQgKH2S67gAAAAAEAgAA"} @@ -97,7 +97,7 @@ 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":268,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035399304,"flow_dst_last_pkt_time":1484319035397916,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319035399304,"pkt":"gCqoTGHM5JjWH70UCABFAAA0+2BAAEAGIdDAqAEHNFkni8+OAbvRf5R+2AMl5IAQEBW8GgAAAQEICh9kwZ2tiMk\/"} 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":269,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035397916,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319035401110,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":279,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035449894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319035449894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01200{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":143,"flow_avg":40060.1,"flow_max":350146,"flow_stddev":76330.4,"c_to_s_min":222,"c_to_s_avg":40185.9,"c_to_s_max":350146,"c_to_s_stddev":83024.7,"s_to_c_min":143,"s_to_c_avg":39934.3,"s_to_c_max":291182,"s_to_c_stddev":68989.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":216.9,"c_to_s_max":1514,"c_to_s_stddev":368.1,"s_to_c_min":66,"s_to_c_avg":871.6,"s_to_c_max":1514,"s_to_c_stddev":667.3}}} +01200{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":143,"flow_avg":41275.9,"flow_max":350146,"flow_stddev":77246.2,"c_to_s_min":222,"c_to_s_avg":42706.9,"c_to_s_max":350146,"c_to_s_stddev":85152.5,"s_to_c_min":143,"s_to_c_avg":39934.3,"s_to_c_max":291182,"s_to_c_stddev":68989.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":216.9,"c_to_s_max":1514,"c_to_s_stddev":368.1,"s_to_c_min":66,"s_to_c_avg":871.6,"s_to_c_max":1514,"s_to_c_stddev":667.3}}} 01796{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00665{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":321,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035889509,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":164,"pkt_l4_len":130,"thread_ts_usec":1484319035889509,"pkt":"AQBef\/\/65JjWH70UCABFAACW0KMAAAERNwrAqAEH7\/\/\/+tIQB2wAggqVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjptZHgtbmV0ZmxpeC1jb206c2VydmljZTp0YXJnZXQ6MA0KDQo="} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":323,"source":"netflix.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319036827113,"flow_src_last_pkt_time":1484319036827113,"flow_dst_last_pkt_time":1484319036827113,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036827113,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57719,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -112,8 +112,8 @@ 01088{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":328,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036870445,"flow_dst_last_pkt_time":1484319036865722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036870445,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":330,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036870445,"flow_dst_last_pkt_time":1484319036889708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1484319036889708,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01697{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036894463,"flow_dst_last_pkt_time":1484319036900382,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":3414,"midstream":0,"thread_ts_usec":1484319036900382,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","server_names":"secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26"}}} -01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":356,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036983563,"flow_dst_last_pkt_time":1484319036982334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1128,"flow_dst_tot_l4_payload_len":5359,"midstream":0,"thread_ts_usec":1484319036983563,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":142,"flow_avg":8888.8,"flow_max":40245,"flow_stddev":10825.2,"c_to_s_min":142,"c_to_s_avg":7450.0,"c_to_s_max":27231,"c_to_s_stddev":9262.8,"s_to_c_min":316,"s_to_c_avg":11635.5,"s_to_c_max":40245,"s_to_c_stddev":12868.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":120.3,"c_to_s_max":293,"c_to_s_stddev":56.6,"s_to_c_min":66,"s_to_c_avg":553.9,"s_to_c_max":1514,"s_to_c_stddev":607.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01211{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":147,"flow_avg":486004.9,"flow_max":7507819,"flow_stddev":1799591.1,"c_to_s_min":147,"c_to_s_avg":453464.1,"c_to_s_max":7402221,"c_to_s_stddev":1737355.8,"s_to_c_min":911,"s_to_c_avg":522884.5,"s_to_c_max":7507819,"s_to_c_stddev":1866933.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":335.9,"c_to_s_max":1514,"c_to_s_stddev":480.2,"s_to_c_min":66,"s_to_c_avg":414.5,"s_to_c_max":1514,"s_to_c_stddev":560.1}}} +01456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":356,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036983563,"flow_dst_last_pkt_time":1484319036982334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1128,"flow_dst_tot_l4_payload_len":5359,"midstream":0,"thread_ts_usec":1484319036983563,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":142,"flow_avg":8297.1,"flow_max":40245,"flow_stddev":10476.7,"c_to_s_min":142,"c_to_s_avg":6461.0,"c_to_s_max":26013,"c_to_s_stddev":8339.5,"s_to_c_min":316,"s_to_c_avg":11635.5,"s_to_c_max":40245,"s_to_c_stddev":12868.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":120.3,"c_to_s_max":293,"c_to_s_stddev":56.6,"s_to_c_min":66,"s_to_c_avg":553.9,"s_to_c_max":1514,"s_to_c_stddev":607.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} +01211{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":147,"flow_avg":501615.3,"flow_max":7507819,"flow_stddev":1826252.6,"c_to_s_min":147,"c_to_s_avg":481675.4,"c_to_s_max":7402221,"c_to_s_stddev":1787043.8,"s_to_c_min":911,"s_to_c_avg":522884.5,"s_to_c_max":7507819,"s_to_c_stddev":1866933.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":335.9,"c_to_s_max":1514,"c_to_s_stddev":480.2,"s_to_c_min":66,"s_to_c_avg":414.5,"s_to_c_max":1514,"s_to_c_stddev":560.1}}} 01795{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319042988806,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319042988806,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1484319042988806,"pkt":"gCqoTGHM5JjWH70UCABFAABGkh4AAP8Rpi\/AqAEHwKgBAecsADUAMtLh8roBAAABAAAAAAAAB2FydHdvcmsEYWthbQduZmx4aW1nA25ldAAAAQAB"} @@ -135,7 +135,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1484319043665565,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319043688511,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADwG+Lm4GcwZwKgBBwBQz57u7DQucjxhCKAScSCMigAAAgQFtAQCCAr\/\/D2rH2ThCQEDAwU="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":670,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1484319043689999,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319043689999,"pkt":"gCqoTGHM5JjWH70UCABFAAA0VAZAAEAGoNvAqAEHuBnMGc+eAFByPGEI7uw0L4AQEBUcSAAAAQEICh9k4SH\/\/D2r"} 01071{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":671,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319043665565,"flow_src_last_pkt_time":1484319043691581,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319043691581,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53150,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-2.nflximg.net","http": {"url":"art-2.nflximg.net\/87b33\/bed1223a0040fdc97bac4e906332e462c6e87b33.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1484319043013015,"flow_src_last_pkt_time":1484319044532732,"flow_dst_last_pkt_time":1484319044504314,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":33304,"midstream":0,"thread_ts_usec":1484319044532732,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53149,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6882,"flow_avg":94850.8,"flow_max":1300093,"flow_stddev":226514.5,"c_to_s_min":6882,"c_to_s_avg":220560.9,"c_to_s_max":1300093,"c_to_s_stddev":441578.2,"s_to_c_min":13255,"s_to_c_avg":59652.0,"s_to_c_max":398536,"s_to_c_stddev":73579.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":106.7,"c_to_s_max":311,"c_to_s_stddev":84.0,"s_to_c_min":66,"s_to_c_avg":1398.5,"s_to_c_max":1514,"s_to_c_stddev":391.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1484319043013015,"flow_src_last_pkt_time":1484319044532732,"flow_dst_last_pkt_time":1484319044504314,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":33304,"midstream":0,"thread_ts_usec":1484319044532732,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53149,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6882,"flow_avg":97129.5,"flow_max":1300093,"flow_stddev":229777.6,"c_to_s_min":6882,"c_to_s_avg":253286.2,"c_to_s_max":1300093,"c_to_s_stddev":469034.3,"s_to_c_min":13255,"s_to_c_avg":59652.0,"s_to_c_max":398536,"s_to_c_stddev":73579.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":106.7,"c_to_s_max":311,"c_to_s_stddev":84.0,"s_to_c_min":66,"s_to_c_avg":1398.5,"s_to_c_max":1514,"s_to_c_stddev":391.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":703,"source":"netflix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1484319044993872,"flow_dst_last_pkt_time":1484319030789585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1484319044993872,"pkt":"gCqoTGHM5JjWH70UCABFAAAoz5tAAEAGHmfAqAEHNBhXBs7BAbvkIOdlTYzTZlAUEACWDAAAAAAAAAAA"} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":795,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319048757894,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048757894,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319048757894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":58102,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":795,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048757894,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1484319048757894,"pkt":"gCqoTGHM5JjWH70UCABFAABBS2MAAP8R7O\/AqAEHwKgBAeL2ADUALZ5c\/mQBAAABAAAAAAAAB2FwcGJvb3QHbmV0ZmxpeANjb20AAAEAAQ=="} @@ -147,7 +147,7 @@ 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":798,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1484319048780859,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319048824981,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGmJ82yb+EwKgBBwBQz59tgW\/FOnvHe6ASRep1DwAAAgQFtAQCCApXXrqDH2T0hAEDAwg="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":799,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1484319048826457,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319048826457,"pkt":"gCqoTGHM5JjWH70UCABFAAA0VQxAAEAGLbvAqAEHNsm\/hM+fAFA6e8d7bYFvxoAQEBXZhAAAAQEICh9k9LFXXrqD"} 01105{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":800,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319048830359,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319048830359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"appboot.netflix.com","http": {"url":"appboot.netflix.com\/appboot\/NFAPPL-02-","code":0,"content_type":"","user_agent":"Argo\/900 CFNetwork\/808.2.16 Darwin\/16.3.0","request_content_type":"application\/x-www-form-urlencoded"}}} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":839,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319049236027,"flow_dst_last_pkt_time":1484319049229808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2612,"flow_dst_tot_l4_payload_len":21687,"midstream":0,"thread_ts_usec":1484319049236027,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":193,"flow_avg":28971.3,"flow_max":187154,"flow_stddev":41670.2,"c_to_s_min":193,"c_to_s_avg":39844.4,"c_to_s_max":187154,"c_to_s_stddev":54684.6,"s_to_c_min":302,"s_to_c_avg":22447.4,"s_to_c_max":135055,"s_to_c_stddev":29504.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":285.7,"c_to_s_max":1514,"c_to_s_stddev":441.6,"s_to_c_min":66,"s_to_c_avg":1150.8,"s_to_c_max":1514,"s_to_c_stddev":575.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":839,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319049236027,"flow_dst_last_pkt_time":1484319049229808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2612,"flow_dst_tot_l4_payload_len":21687,"midstream":0,"thread_ts_usec":1484319049236027,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":193,"flow_avg":29165.1,"flow_max":187154,"flow_stddev":42322.7,"c_to_s_min":193,"c_to_s_avg":41378.9,"c_to_s_max":187154,"c_to_s_stddev":56868.4,"s_to_c_min":302,"s_to_c_avg":22447.4,"s_to_c_max":135055,"s_to_c_stddev":29504.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":285.7,"c_to_s_max":1514,"c_to_s_stddev":441.6,"s_to_c_min":66,"s_to_c_avg":1150.8,"s_to_c_max":1514,"s_to_c_stddev":575.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":861,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049465573,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049465573,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049465573,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53152,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":861,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049465573,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319049465573,"pkt":"gCqoTGHM5JjWH70UCABFAABAjtZAAEAGjk7AqAEHNFkni8+gAFCVL\/AiAAAAALAC\/\/+toQAAAgQFtAEDAwUBAQgKH2T3IAAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":863,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049510947,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319049510947,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGMwk0WSeLwKgBBwBQz6CC\/YxQlS\/wI6ASRerkyQAAAgQFtAQCCAqtiNcHH2T3IAEDAwg="} @@ -160,7 +160,7 @@ 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049645637,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"thread_ts_usec":1484319049645637,"pkt":"gCqoTGHM5JjWH70UCABFAABCunsAAEARPNfAqAEHwKgBAcx7ADUALmwlX+cBAAABAAAAAAAAA2lvcwRuY2NwB25ldGZsaXgDY29tAAAcAAE="} 01000{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049645637,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"netflix.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319043012652,"flow_src_last_pkt_time":1484319049640319,"flow_dst_last_pkt_time":1484319049653906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":491,"flow_dst_tot_l4_payload_len":23168,"midstream":0,"thread_ts_usec":1484319049653906,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":590,"flow_avg":415399.0,"flow_max":6030936,"flow_stddev":1214223.0,"c_to_s_min":11557,"c_to_s_avg":475108.1,"c_to_s_max":3643850,"c_to_s_stddev":968753.9,"s_to_c_min":590,"s_to_c_avg":368958.6,"s_to_c_max":6030936,"s_to_c_stddev":1373383.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.2,"c_to_s_max":312,"c_to_s_stddev":82.9,"s_to_c_min":66,"s_to_c_avg":1353.6,"s_to_c_max":1514,"s_to_c_stddev":453.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"netflix.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319043012652,"flow_src_last_pkt_time":1484319049640319,"flow_dst_last_pkt_time":1484319049653906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":491,"flow_dst_tot_l4_payload_len":23168,"midstream":0,"thread_ts_usec":1484319049653906,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":590,"flow_avg":428029.7,"flow_max":6030936,"flow_stddev":1231580.9,"c_to_s_min":11557,"c_to_s_avg":509820.5,"c_to_s_max":3643850,"c_to_s_stddev":996898.1,"s_to_c_min":590,"s_to_c_avg":368958.6,"s_to_c_max":6030936,"s_to_c_stddev":1373383.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.2,"c_to_s_max":312,"c_to_s_stddev":82.9,"s_to_c_min":66,"s_to_c_avg":1353.6,"s_to_c_max":1514,"s_to_c_stddev":453.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":891,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":78,"thread_ts_usec":1484319049665892,"pkt":"5JjWH70UgCqoTGHMCABFAABi4UdAAEAR1erAqAEBwKgBBwA1yhAATkFkBBqBgAABAAIAAAAABGE4MDMEZHNjZwZha2FtYWkDbmV0AAABAAHADAABAAEAAAAMAAS4GcwYwAwAAQABAAAADAAEuBnMKA=="} 01012{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":891,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049641053,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":70,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1484319049665892,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51728,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a803.dscg.akamai.net","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"184.25.204.24"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":895,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319049672494,"flow_dst_last_pkt_time":1484319049672494,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049672494,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -183,20 +183,20 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":970,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1484319050652467,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319050677236,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmYX9guRwKgBBwBQz6susPTdvF5ArqAS\/\/\/2WQAAAgQFtAEDAwkEAggKRVwbeB9k+44="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":971,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1484319050678757,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319050678757,"pkt":"gCqoTGHM5JjWH70UCABFAAA0kSxAAEAGxGHAqAEHF\/YLkc+rAFC8XkCuLrD03oAQEBUU+gAAAQEICh9k+6dFXBt4"} 01354{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":972,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319050682551,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319050682551,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.145","http": {"url":"23.246.11.145\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=3930708224","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1008,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319051912595,"flow_dst_last_pkt_time":1484319051940613,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":28027,"midstream":0,"thread_ts_usec":1484319051940613,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3794,"flow_avg":102185.3,"flow_max":721657,"flow_stddev":187680.6,"c_to_s_min":3794,"c_to_s_avg":180162.3,"c_to_s_max":721657,"c_to_s_stddev":256570.5,"s_to_c_min":4828,"s_to_c_avg":61340.3,"s_to_c_max":582496,"s_to_c_stddev":119749.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.1,"c_to_s_max":422,"c_to_s_stddev":101.2,"s_to_c_min":74,"s_to_c_avg":1401.0,"s_to_c_max":1514,"s_to_c_stddev":357.0}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1008,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319051912595,"flow_dst_last_pkt_time":1484319051940613,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":28027,"midstream":0,"thread_ts_usec":1484319051940613,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3794,"flow_avg":82202.4,"flow_max":651024,"flow_stddev":153564.6,"c_to_s_min":3794,"c_to_s_avg":126012.8,"c_to_s_max":651024,"c_to_s_stddev":200393.2,"s_to_c_min":4828,"s_to_c_avg":61340.3,"s_to_c_max":582496,"s_to_c_stddev":119749.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.1,"c_to_s_max":422,"c_to_s_stddev":101.2,"s_to_c_min":74,"s_to_c_avg":1401.0,"s_to_c_max":1514,"s_to_c_stddev":357.0}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1027,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052216458,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319052216458,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1027,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052216458,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319052216458,"pkt":"gCqoTGHM5JjWH70UCABFAABAN3hAAEAGHxDAqAEHF\/YKi8+sAFBgdy0VAAAAALAC\/\/\/UZQAAAgQFtAEDAwUBAQgKH2UBeQAAAAAEAgAA"} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1031,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319052235250,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGW2wX9gqLwKgBBwBQz6xlmlqWYHctFqAS\/\/8JBgAAAgQFtAEDAwkEAggKQI7bkB9lAXk="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1032,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":3,"flow_src_last_pkt_time":1484319052237833,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319052237833,"pkt":"gCqoTGHM5JjWH70UCABFAAA0JFZAAEAGMj7AqAEHF\/YKi8+sAFBgdy0WZZpal4AQEBUnrAAAAQEICh9lAYxAjtuQ"} 01355{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1033,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319052242977,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319052242977,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.10.139","http": {"url":"23.246.10.139\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=3407360776","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1073,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319053577715,"flow_dst_last_pkt_time":1484319053589492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":25132,"midstream":0,"thread_ts_usec":1484319053589492,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1043,"flow_avg":86190.2,"flow_max":638852,"flow_stddev":149925.8,"c_to_s_min":5144,"c_to_s_avg":106542.4,"c_to_s_max":638852,"c_to_s_stddev":175382.7,"s_to_c_min":1043,"s_to_c_avg":72264.9,"s_to_c_max":579987,"s_to_c_stddev":127805.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.1,"c_to_s_max":422,"c_to_s_stddev":93.2,"s_to_c_min":74,"s_to_c_avg":1389.2,"s_to_c_max":1514,"s_to_c_stddev":373.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1073,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319053577715,"flow_dst_last_pkt_time":1484319053589492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":25132,"midstream":0,"thread_ts_usec":1484319053589492,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1043,"flow_avg":88202.9,"flow_max":638852,"flow_stddev":151898.7,"c_to_s_min":5144,"c_to_s_avg":113438.1,"c_to_s_max":638852,"c_to_s_stddev":180843.0,"s_to_c_min":1043,"s_to_c_avg":72264.9,"s_to_c_max":579987,"s_to_c_stddev":127805.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.1,"c_to_s_max":422,"c_to_s_stddev":93.2,"s_to_c_min":74,"s_to_c_avg":1389.2,"s_to_c_max":1514,"s_to_c_stddev":373.2}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054101585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319054101585,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054101585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319054101585,"pkt":"gCqoTGHM5JjWH70UCABFAABA9bFAAEAGZ9XAqAEHF\/YDjM+zAFBtwXYMAAAAALAC\/\/99\/AAAAgQFtAEDAwUBAQgKH2UImQAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1101,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319054132376,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADgGZWsX9gOMwKgBBwBQz7OFwt93bcF2DaAS\/\/\/aJAAAAgQFtAEDAwkEAggKhKDK7B9lCJk="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1102,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1484319054134077,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319054134077,"pkt":"gCqoTGHM5JjWH70UCABFAAA0mQ1AAEAGxIXAqAEHF\/YDjM+zAFBtwXYNhcLfeIAQEBX4vQAAAQEICh9lCLmEoMrs"} 01351{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1103,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054139605,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319054139605,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.3.140","http": {"url":"23.246.3.140\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054294236,"flow_dst_last_pkt_time":1484319054480080,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":29479,"midstream":0,"thread_ts_usec":1484319054480080,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2187,"flow_avg":18463.6,"flow_max":44333,"flow_stddev":9877.1,"c_to_s_min":5528,"c_to_s_avg":21233.9,"c_to_s_max":41107,"c_to_s_stddev":10535.4,"s_to_c_min":2187,"s_to_c_avg":17204.3,"s_to_c_max":44333,"s_to_c_stddev":9293.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":102.6,"c_to_s_max":420,"c_to_s_stddev":105.9,"s_to_c_min":74,"s_to_c_avg":1406.3,"s_to_c_max":1514,"s_to_c_stddev":349.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1140,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319054604684,"flow_dst_last_pkt_time":1484319054632485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":216,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":216,"flow_dst_tot_l4_payload_len":17376,"midstream":0,"thread_ts_usec":1484319054632485,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2986,"flow_avg":309665.1,"flow_max":4093620,"flow_stddev":800796.9,"c_to_s_min":2986,"c_to_s_avg":274960.7,"c_to_s_max":1864439,"c_to_s_stddev":546951.4,"s_to_c_min":24907,"s_to_c_avg":354285.1,"s_to_c_max":4093620,"s_to_c_stddev":1038077.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":94.2,"c_to_s_max":282,"c_to_s_stddev":46.9,"s_to_c_min":66,"s_to_c_avg":1307.7,"s_to_c_max":1514,"s_to_c_stddev":505.3}},"ndpi": {"flow_risk": {"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01469{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054294236,"flow_dst_last_pkt_time":1484319054480080,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":29479,"midstream":0,"thread_ts_usec":1484319054480080,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2187,"flow_avg":18424.1,"flow_max":44333,"flow_stddev":10032.7,"c_to_s_min":5528,"c_to_s_avg":21405.7,"c_to_s_max":41107,"c_to_s_stddev":11092.0,"s_to_c_min":2187,"s_to_c_avg":17204.3,"s_to_c_max":44333,"s_to_c_stddev":9293.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":102.6,"c_to_s_max":420,"c_to_s_stddev":105.9,"s_to_c_min":74,"s_to_c_avg":1406.3,"s_to_c_max":1514,"s_to_c_stddev":349.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1140,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319054604684,"flow_dst_last_pkt_time":1484319054632485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":216,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":216,"flow_dst_tot_l4_payload_len":17376,"midstream":0,"thread_ts_usec":1484319054632485,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2986,"flow_avg":319102.6,"flow_max":4093620,"flow_stddev":811857.0,"c_to_s_min":2986,"c_to_s_avg":290128.8,"c_to_s_max":1864439,"c_to_s_stddev":559117.2,"s_to_c_min":24907,"s_to_c_avg":354285.1,"s_to_c_max":4093620,"s_to_c_stddev":1038077.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":94.2,"c_to_s_max":282,"c_to_s_stddev":46.9,"s_to_c_min":66,"s_to_c_avg":1307.7,"s_to_c_max":1514,"s_to_c_stddev":505.3}},"ndpi": {"flow_risk": {"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319056204111,"flow_dst_last_pkt_time":1484319056204111,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056204111,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1484319056204111,"flow_dst_last_pkt_time":1484319056204111,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319056204111,"pkt":"gCqoTGHM5JjWH70UCABFAABAfy9AAEAG1l7AqAEHF\/YLhc+0AFDwxwoWAAAAALAC\/\/9XEAAAAgQFtAEDAwUBAQgKH2UQewAAAAAEAgAA"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1232,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319056210218,"flow_dst_last_pkt_time":1484319056210218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056210218,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -252,18 +252,18 @@ 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1283,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1484319056327623,"flow_dst_last_pkt_time":1484319056326288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319056327623,"pkt":"gCqoTGHM5JjWH70UCABFAAA0Fj1AAEAGP1XAqAEHF\/YLjc++AFBtOQm7PQ6az4AQEBV4RwAAAQEICh9lEOzE7\/UM"} 01358{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1285,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319056336202,"flow_dst_last_pkt_time":1484319056326114,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056336202,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/range\/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=129454076","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} 01357{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1286,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319056347066,"flow_dst_last_pkt_time":1484319056326288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056347066,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/range\/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=4209810633","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1458,"source":"netflix.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056241489,"flow_src_last_pkt_time":1484319059351882,"flow_dst_last_pkt_time":1484319059371795,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319059371795,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53180,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":394,"flow_avg":195637.2,"flow_max":2097549,"flow_stddev":398301.9,"c_to_s_min":473,"c_to_s_avg":149051.6,"c_to_s_max":1162295,"c_to_s_stddev":246828.4,"s_to_c_min":394,"s_to_c_avg":284573.3,"s_to_c_max":2097549,"s_to_c_stddev":577189.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":93.4,"c_to_s_max":426,"c_to_s_stddev":75.3,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1536,"source":"netflix.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056233255,"flow_src_last_pkt_time":1484319060551613,"flow_dst_last_pkt_time":1484319060618267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13563,"midstream":0,"thread_ts_usec":1484319060618267,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53177,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":135,"flow_avg":272401.7,"flow_max":1046959,"flow_stddev":299804.0,"c_to_s_min":135,"c_to_s_avg":216592.1,"c_to_s_max":635898,"c_to_s_stddev":202375.2,"s_to_c_min":857,"s_to_c_avg":365417.7,"s_to_c_max":1046959,"s_to_c_stddev":396968.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":88.4,"c_to_s_max":426,"c_to_s_stddev":77.8,"s_to_c_min":74,"s_to_c_avg":1196.9,"s_to_c_max":1514,"s_to_c_stddev":557.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1539,"source":"netflix.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056221799,"flow_src_last_pkt_time":1484319060594060,"flow_dst_last_pkt_time":1484319060664663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319060664663,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53175,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":569,"flow_avg":276025.4,"flow_max":1636184,"flow_stddev":359858.7,"c_to_s_min":569,"c_to_s_avg":219497.5,"c_to_s_max":1105315,"c_to_s_stddev":265050.7,"s_to_c_min":4002,"s_to_c_avg":370238.7,"s_to_c_max":1636184,"s_to_c_stddev":462645.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":91.1,"c_to_s_max":423,"c_to_s_stddev":76.5,"s_to_c_min":74,"s_to_c_avg":1316.5,"s_to_c_max":1514,"s_to_c_stddev":453.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1545,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319060695068,"flow_dst_last_pkt_time":1484319060746254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":20790,"midstream":0,"thread_ts_usec":1484319060746254,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4949,"flow_avg":283451.7,"flow_max":1397235,"flow_stddev":312221.8,"c_to_s_min":18248,"c_to_s_avg":283401.1,"c_to_s_max":985618,"c_to_s_stddev":262182.5,"s_to_c_min":4949,"s_to_c_avg":283502.2,"s_to_c_max":1397235,"s_to_c_stddev":355281.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":94.6,"c_to_s_max":423,"c_to_s_stddev":85.4,"s_to_c_min":74,"s_to_c_avg":1365.9,"s_to_c_max":1514,"s_to_c_stddev":402.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1562,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319060916913,"flow_dst_last_pkt_time":1484319060915445,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319060916913,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":342,"flow_avg":291640.1,"flow_max":2716440,"flow_stddev":532785.5,"c_to_s_min":1429,"c_to_s_avg":222932.3,"c_to_s_max":1162512,"c_to_s_stddev":306721.5,"s_to_c_min":342,"s_to_c_avg":422809.5,"s_to_c_max":2716440,"s_to_c_stddev":787371.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":91.8,"c_to_s_max":424,"c_to_s_stddev":74.9,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1566,"source":"netflix.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056214323,"flow_src_last_pkt_time":1484319060947278,"flow_dst_last_pkt_time":1484319060861747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":12102,"midstream":0,"thread_ts_usec":1484319060947278,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":137,"flow_avg":294814.1,"flow_max":3094333,"flow_stddev":549088.6,"c_to_s_min":5332,"c_to_s_avg":217574.0,"c_to_s_max":626011,"c_to_s_stddev":219495.7,"s_to_c_min":137,"s_to_c_avg":464742.4,"s_to_c_max":3094333,"s_to_c_stddev":903770.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":91.2,"c_to_s_max":424,"c_to_s_stddev":73.0,"s_to_c_min":74,"s_to_c_avg":1277.0,"s_to_c_max":1514,"s_to_c_stddev":487.5}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1585,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319061168059,"flow_dst_last_pkt_time":1484319060482194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":12101,"midstream":0,"thread_ts_usec":1484319061168059,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":266,"flow_avg":285959.5,"flow_max":2608516,"flow_stddev":522881.7,"c_to_s_min":498,"c_to_s_avg":224214.7,"c_to_s_max":1152400,"c_to_s_stddev":298377.0,"s_to_c_min":266,"s_to_c_avg":421797.9,"s_to_c_max":2608516,"s_to_c_stddev":807585.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":93.4,"c_to_s_max":425,"c_to_s_stddev":73.1,"s_to_c_min":74,"s_to_c_avg":1276.9,"s_to_c_max":1514,"s_to_c_stddev":487.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01475{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1592,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319061128980,"flow_dst_last_pkt_time":1484319061270358,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061270358,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":79,"flow_avg":313580.5,"flow_max":3064500,"flow_stddev":569510.4,"c_to_s_min":671,"c_to_s_avg":236587.1,"c_to_s_max":811161,"c_to_s_stddev":257988.9,"s_to_c_min":79,"s_to_c_avg":460567.9,"s_to_c_max":3064500,"s_to_c_stddev":885185.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":95.4,"c_to_s_max":424,"c_to_s_stddev":74.3,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1621,"source":"netflix.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056233602,"flow_src_last_pkt_time":1484319061706774,"flow_dst_last_pkt_time":1484319061794702,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061794702,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53178,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":240,"flow_avg":345253.2,"flow_max":3546297,"flow_stddev":674579.0,"c_to_s_min":240,"c_to_s_avg":261285.9,"c_to_s_max":1317695,"c_to_s_stddev":368411.8,"s_to_c_min":4927,"s_to_c_avg":505554.5,"s_to_c_max":3546297,"s_to_c_stddev":1012684.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":92.7,"c_to_s_max":423,"c_to_s_stddev":74.5,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":402196.5,"flow_max":4457097,"flow_stddev":801514.4,"c_to_s_min":828,"c_to_s_avg":321231.2,"c_to_s_max":1392951,"c_to_s_stddev":388412.9,"s_to_c_min":72,"s_to_c_avg":537138.6,"s_to_c_max":4457097,"s_to_c_stddev":1196895.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":93.5,"c_to_s_max":424,"c_to_s_stddev":76.5,"s_to_c_min":74,"s_to_c_avg":1316.5,"s_to_c_max":1514,"s_to_c_stddev":453.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1725,"source":"netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":682,"flow_avg":422178.6,"flow_max":4431980,"flow_stddev":805011.6,"c_to_s_min":682,"c_to_s_avg":292478.5,"c_to_s_max":1250769,"c_to_s_stddev":344147.5,"s_to_c_min":4898,"s_to_c_avg":753634.4,"s_to_c_max":4431980,"s_to_c_stddev":1359642.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":92.5,"c_to_s_max":424,"c_to_s_stddev":71.2,"s_to_c_min":74,"s_to_c_avg":1250.6,"s_to_c_max":1514,"s_to_c_stddev":507.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":136,"flow_avg":1897987.8,"flow_max":30086001,"flow_stddev":7271359.5,"c_to_s_min":261,"c_to_s_avg":1785720.0,"c_to_s_max":30033380,"c_to_s_stddev":7061953.0,"s_to_c_min":136,"s_to_c_avg":2025224.5,"s_to_c_max":30086001,"s_to_c_stddev":7499592.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":439.3,"c_to_s_max":1514,"c_to_s_stddev":588.4,"s_to_c_min":66,"s_to_c_avg":342.7,"s_to_c_max":1514,"s_to_c_stddev":514.1}}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1458,"source":"netflix.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056241489,"flow_src_last_pkt_time":1484319059351882,"flow_dst_last_pkt_time":1484319059371795,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319059371795,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53180,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":394,"flow_avg":201312.9,"flow_max":2097549,"flow_stddev":403399.4,"c_to_s_min":473,"c_to_s_avg":155519.7,"c_to_s_max":1162295,"c_to_s_stddev":251181.0,"s_to_c_min":394,"s_to_c_avg":284573.3,"s_to_c_max":2097549,"s_to_c_stddev":577189.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":93.4,"c_to_s_max":426,"c_to_s_stddev":75.3,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1536,"source":"netflix.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056233255,"flow_src_last_pkt_time":1484319060551613,"flow_dst_last_pkt_time":1484319060618267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13563,"midstream":0,"thread_ts_usec":1484319060618267,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53177,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":135,"flow_avg":280753.9,"flow_max":1046959,"flow_stddev":300914.6,"c_to_s_min":135,"c_to_s_avg":227282.0,"c_to_s_max":635898,"c_to_s_stddev":202053.9,"s_to_c_min":857,"s_to_c_avg":365417.7,"s_to_c_max":1046959,"s_to_c_stddev":396968.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":88.4,"c_to_s_max":426,"c_to_s_stddev":77.8,"s_to_c_min":74,"s_to_c_avg":1196.9,"s_to_c_max":1514,"s_to_c_stddev":557.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1539,"source":"netflix.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056221799,"flow_src_last_pkt_time":1484319060594060,"flow_dst_last_pkt_time":1484319060664663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319060664663,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53175,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":569,"flow_avg":284358.9,"flow_max":1636184,"flow_stddev":362564.9,"c_to_s_min":569,"c_to_s_avg":230119.0,"c_to_s_max":1105315,"c_to_s_stddev":267755.4,"s_to_c_min":4002,"s_to_c_avg":370238.7,"s_to_c_max":1636184,"s_to_c_stddev":462645.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":91.1,"c_to_s_max":423,"c_to_s_stddev":76.5,"s_to_c_min":74,"s_to_c_avg":1316.5,"s_to_c_max":1514,"s_to_c_stddev":453.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01481{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1545,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319060695068,"flow_dst_last_pkt_time":1484319060746254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":20790,"midstream":0,"thread_ts_usec":1484319060746254,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4949,"flow_avg":290996.3,"flow_max":1397235,"flow_stddev":314333.5,"c_to_s_min":18248,"c_to_s_avg":298990.0,"c_to_s_max":985618,"c_to_s_stddev":263503.4,"s_to_c_min":4949,"s_to_c_avg":283502.2,"s_to_c_max":1397235,"s_to_c_stddev":355281.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":94.6,"c_to_s_max":423,"c_to_s_stddev":85.4,"s_to_c_min":74,"s_to_c_avg":1365.9,"s_to_c_max":1514,"s_to_c_stddev":402.1}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1562,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319060916913,"flow_dst_last_pkt_time":1484319060915445,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319060916913,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":342,"flow_avg":300105.7,"flow_max":2716440,"flow_stddev":539188.2,"c_to_s_min":1429,"c_to_s_avg":232618.6,"c_to_s_max":1162512,"c_to_s_stddev":311145.7,"s_to_c_min":342,"s_to_c_avg":422809.5,"s_to_c_max":2716440,"s_to_c_stddev":787371.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":91.8,"c_to_s_max":424,"c_to_s_stddev":74.9,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1566,"source":"netflix.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056214323,"flow_src_last_pkt_time":1484319060947278,"flow_dst_last_pkt_time":1484319060861747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":12102,"midstream":0,"thread_ts_usec":1484319060947278,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":137,"flow_avg":302592.9,"flow_max":3094333,"flow_stddev":556136.4,"c_to_s_min":5332,"c_to_s_avg":225378.8,"c_to_s_max":626011,"c_to_s_stddev":221658.3,"s_to_c_min":137,"s_to_c_avg":464742.4,"s_to_c_max":3094333,"s_to_c_stddev":903770.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":91.2,"c_to_s_max":424,"c_to_s_stddev":73.0,"s_to_c_min":74,"s_to_c_avg":1277.0,"s_to_c_max":1514,"s_to_c_stddev":487.5}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1585,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319061168059,"flow_dst_last_pkt_time":1484319060482194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":12101,"midstream":0,"thread_ts_usec":1484319061168059,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":266,"flow_avg":294252.3,"flow_max":2608516,"flow_stddev":529173.0,"c_to_s_min":498,"c_to_s_avg":233516.4,"c_to_s_max":1152400,"c_to_s_stddev":302266.2,"s_to_c_min":266,"s_to_c_avg":421797.9,"s_to_c_max":2608516,"s_to_c_stddev":807585.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":93.4,"c_to_s_max":425,"c_to_s_stddev":73.1,"s_to_c_min":74,"s_to_c_avg":1276.9,"s_to_c_max":1514,"s_to_c_stddev":487.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01475{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1592,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319061128980,"flow_dst_last_pkt_time":1484319061270358,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061270358,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":79,"flow_avg":322294.1,"flow_max":3064500,"flow_stddev":576519.8,"c_to_s_min":671,"c_to_s_avg":246243.5,"c_to_s_max":811161,"c_to_s_stddev":260630.1,"s_to_c_min":79,"s_to_c_avg":460567.9,"s_to_c_max":3064500,"s_to_c_stddev":885185.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":95.4,"c_to_s_max":424,"c_to_s_stddev":74.3,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1621,"source":"netflix.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056233602,"flow_src_last_pkt_time":1484319061706774,"flow_dst_last_pkt_time":1484319061794702,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061794702,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53178,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":240,"flow_avg":355944.2,"flow_max":3546297,"flow_stddev":682699.4,"c_to_s_min":240,"c_to_s_avg":273658.6,"c_to_s_max":1317695,"c_to_s_stddev":373227.6,"s_to_c_min":4927,"s_to_c_avg":505554.5,"s_to_c_max":3546297,"s_to_c_stddev":1012684.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":92.7,"c_to_s_max":423,"c_to_s_stddev":74.5,"s_to_c_min":74,"s_to_c_avg":1298.5,"s_to_c_max":1514,"s_to_c_stddev":469.8}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":414504.9,"flow_max":4457097,"flow_stddev":811357.3,"c_to_s_min":828,"c_to_s_avg":337052.0,"c_to_s_max":1392951,"c_to_s_stddev":392172.0,"s_to_c_min":72,"s_to_c_avg":537138.6,"s_to_c_max":4457097,"s_to_c_stddev":1196895.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":93.5,"c_to_s_max":424,"c_to_s_stddev":76.5,"s_to_c_min":74,"s_to_c_avg":1316.5,"s_to_c_max":1514,"s_to_c_stddev":453.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1725,"source":"netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":682,"flow_avg":435375.1,"flow_max":4431980,"flow_stddev":814478.7,"c_to_s_min":682,"c_to_s_avg":305178.1,"c_to_s_max":1250769,"c_to_s_stddev":346571.1,"s_to_c_min":4898,"s_to_c_avg":753634.4,"s_to_c_max":4431980,"s_to_c_stddev":1359642.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":92.5,"c_to_s_max":424,"c_to_s_stddev":71.2,"s_to_c_min":74,"s_to_c_avg":1250.6,"s_to_c_max":1514,"s_to_c_stddev":507.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":136,"flow_avg":1958267.8,"flow_max":30086001,"flow_stddev":7379834.5,"c_to_s_min":261,"c_to_s_avg":1895495.8,"c_to_s_max":30033380,"c_to_s_stddev":7265209.0,"s_to_c_min":136,"s_to_c_avg":2025224.5,"s_to_c_max":30086001,"s_to_c_stddev":7499592.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":439.3,"c_to_s_max":1514,"c_to_s_stddev":588.4,"s_to_c_min":66,"s_to_c_avg":342.7,"s_to_c_max":1514,"s_to_c_stddev":514.1}}} 01703{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1907,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064590230,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1907,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064590230,"pkt":"gCqoTGHM5JjWH70UCABFAABAVptAAEAGBuzAqAEHF\/YDjM+\/AFBrAzOSAAAAALAC\/\/+cMAAAAgQFtAEDAwUBAQgKH2UvkQAAAAAEAgAA"} @@ -286,7 +286,7 @@ 01020{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1930,"source":"netflix.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319064683828,"flow_src_last_pkt_time":1484319064683828,"flow_dst_last_pkt_time":1484319064699948,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":41,"flow_dst_max_l4_payload_len":206,"flow_src_tot_l4_payload_len":41,"flow_dst_tot_l4_payload_len":206,"midstream":0,"thread_ts_usec":1484319064699948,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":60962,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.geo.netflix.com","dns": {"num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.37.36.252"}}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1935,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064711690,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1935,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064711690,"pkt":"gCqoTGHM5JjWH70UCABFAABAfOpAAEAGov3AqAEHNCUk\/M\/TAbvE99WSAAAAALAC\/\/9grAAAAgQFtAEDAwUBAQgKH2UwAgAAAAAEAgAA"} -01209{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":74,"flow_avg":972522.2,"flow_max":30431499,"flow_stddev":5291051.5,"c_to_s_min":146,"c_to_s_avg":1710323.4,"c_to_s_max":30431499,"c_to_s_stddev":6965955.0,"s_to_c_min":74,"s_to_c_avg":23920.8,"s_to_c_max":72134,"s_to_c_stddev":26076.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":417.7,"c_to_s_max":1514,"c_to_s_stddev":578.3,"s_to_c_min":66,"s_to_c_avg":362.3,"s_to_c_max":1514,"s_to_c_stddev":526.7}}} +01210{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":74,"flow_avg":1003326.9,"flow_max":30431499,"flow_stddev":5372888.5,"c_to_s_min":146,"c_to_s_avg":1809896.8,"c_to_s_max":30431499,"c_to_s_stddev":7155449.0,"s_to_c_min":74,"s_to_c_avg":23920.8,"s_to_c_max":72134,"s_to_c_stddev":26076.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":417.7,"c_to_s_max":1514,"c_to_s_stddev":578.3,"s_to_c_min":66,"s_to_c_avg":362.3,"s_to_c_max":1514,"s_to_c_stddev":526.7}}} 01704{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1937,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064671268,"flow_dst_last_pkt_time":1484319064722112,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722112,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGRvs2vxEzwKgBBwG7z9JcNkhzU8YNlaASOJDYrwAAAgQFtAQCCAqtilitH2Uv3gEDAwg="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1938,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064669455,"flow_dst_last_pkt_time":1484319064722814,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722814,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACkGR\/s2vxEzwKgBBwG7z8mqa43KKbVWHqASOJAmtQAAAgQFtAQCCAqtilitH2Uv3QEDAwg="} @@ -303,26 +303,26 @@ 01150{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1968,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064885811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1484319064885811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01673{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319064729673,"flow_dst_last_pkt_time":1484319064898548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2528,"midstream":0,"thread_ts_usec":1484319064898548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} 01699{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1977,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064950196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":2896,"midstream":0,"thread_ts_usec":1484319064950196,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} -01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":105,"flow_avg":47590.4,"flow_max":266118,"flow_stddev":56471.3,"c_to_s_min":105,"c_to_s_avg":33409.3,"c_to_s_max":146597,"c_to_s_stddev":42939.0,"s_to_c_min":451,"s_to_c_avg":83831.1,"s_to_c_max":266118,"s_to_c_stddev":69278.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1082.0,"c_to_s_max":1514,"c_to_s_stddev":624.8,"s_to_c_min":66,"s_to_c_avg":361.7,"s_to_c_max":1514,"s_to_c_stddev":525.2}}} +01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":105,"flow_avg":47531.9,"flow_max":266118,"flow_stddev":57373.9,"c_to_s_min":105,"c_to_s_avg":32682.2,"c_to_s_max":146597,"c_to_s_stddev":43765.3,"s_to_c_min":451,"s_to_c_avg":83831.1,"s_to_c_max":266118,"s_to_c_stddev":69278.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1082.0,"c_to_s_max":1514,"c_to_s_stddev":624.8,"s_to_c_min":66,"s_to_c_avg":361.7,"s_to_c_max":1514,"s_to_c_stddev":525.2}}} 01677{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} -01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":182,"flow_avg":52481.1,"flow_max":282465,"flow_stddev":57252.5,"c_to_s_min":182,"c_to_s_avg":45893.9,"c_to_s_max":282465,"c_to_s_stddev":69475.4,"s_to_c_min":10583,"s_to_c_avg":62108.5,"s_to_c_max":127478,"s_to_c_stddev":29289.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":552.9,"c_to_s_max":1514,"c_to_s_stddev":622.3,"s_to_c_min":66,"s_to_c_avg":586.2,"s_to_c_max":1514,"s_to_c_stddev":640.0}}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":182,"flow_avg":52521.9,"flow_max":282465,"flow_stddev":58168.2,"c_to_s_min":182,"c_to_s_avg":45598.2,"c_to_s_max":282465,"c_to_s_stddev":71367.6,"s_to_c_min":10583,"s_to_c_avg":62108.5,"s_to_c_max":127478,"s_to_c_stddev":29289.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":552.9,"c_to_s_max":1514,"c_to_s_stddev":622.3,"s_to_c_min":66,"s_to_c_avg":586.2,"s_to_c_max":1514,"s_to_c_stddev":640.0}}} 01677{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} -01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":105,"flow_avg":57846.0,"flow_max":332646,"flow_stddev":82496.8,"c_to_s_min":105,"c_to_s_avg":42365.6,"c_to_s_max":332646,"c_to_s_stddev":76711.5,"s_to_c_min":534,"s_to_c_avg":91903.0,"s_to_c_max":331939,"s_to_c_stddev":84528.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":933.9,"c_to_s_max":1514,"c_to_s_stddev":690.0,"s_to_c_min":66,"s_to_c_avg":377.8,"s_to_c_max":1514,"s_to_c_stddev":570.1}}} +01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":105,"flow_avg":59431.0,"flow_max":332646,"flow_stddev":83335.9,"c_to_s_min":105,"c_to_s_avg":43968.1,"c_to_s_max":332646,"c_to_s_stddev":78156.1,"s_to_c_min":534,"s_to_c_avg":91903.0,"s_to_c_max":331939,"s_to_c_stddev":84528.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":933.9,"c_to_s_max":1514,"c_to_s_stddev":690.0,"s_to_c_min":66,"s_to_c_avg":377.8,"s_to_c_max":1514,"s_to_c_stddev":570.1}}} 01704{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2131,"source":"netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319066015206,"flow_dst_last_pkt_time":1484319066064571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":19133,"midstream":0,"thread_ts_usec":1484319066064571,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2593,"flow_avg":91252.1,"flow_max":471964,"flow_stddev":117978.0,"c_to_s_min":2593,"c_to_s_avg":90592.2,"c_to_s_max":471964,"c_to_s_stddev":130570.6,"s_to_c_min":5363,"s_to_c_avg":91911.9,"s_to_c_max":417442,"s_to_c_stddev":103865.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":135.2,"c_to_s_max":581,"c_to_s_stddev":167.6,"s_to_c_min":74,"s_to_c_avg":1262.3,"s_to_c_max":1514,"s_to_c_stddev":453.6}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2195,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5292,"flow_avg":99926.4,"flow_max":730898,"flow_stddev":153617.1,"c_to_s_min":6142,"c_to_s_avg":120356.8,"c_to_s_max":730898,"c_to_s_stddev":195586.2,"s_to_c_min":5292,"s_to_c_avg":76771.9,"s_to_c_max":279545,"s_to_c_stddev":77325.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":131.0,"c_to_s_max":578,"c_to_s_stddev":162.1,"s_to_c_min":74,"s_to_c_avg":1264.5,"s_to_c_max":1514,"s_to_c_stddev":445.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2131,"source":"netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319066015206,"flow_dst_last_pkt_time":1484319066064571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":19133,"midstream":0,"thread_ts_usec":1484319066064571,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2593,"flow_avg":93284.4,"flow_max":471964,"flow_stddev":119313.2,"c_to_s_min":2593,"c_to_s_avg":94748.4,"c_to_s_max":471964,"c_to_s_stddev":133824.0,"s_to_c_min":5363,"s_to_c_avg":91911.9,"s_to_c_max":417442,"s_to_c_stddev":103865.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":135.2,"c_to_s_max":581,"c_to_s_stddev":167.6,"s_to_c_min":74,"s_to_c_avg":1262.3,"s_to_c_max":1514,"s_to_c_stddev":453.6}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2195,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5292,"flow_avg":101928.1,"flow_max":730898,"flow_stddev":155663.8,"c_to_s_min":6142,"c_to_s_avg":125511.9,"c_to_s_max":730898,"c_to_s_stddev":200482.0,"s_to_c_min":5292,"s_to_c_avg":76771.9,"s_to_c_max":279545,"s_to_c_stddev":77325.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":131.0,"c_to_s_max":578,"c_to_s_stddev":162.1,"s_to_c_min":74,"s_to_c_avg":1264.5,"s_to_c_max":1514,"s_to_c_stddev":445.7}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070636683,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319070636683,"pkt":"gCqoTGHM5JjWH70UCABFAABAs25AAEAGoh\/AqAEHF\/YLhc\/aAFBx1HGxAAAAALAC\/\/84uwAAAgQFtAEDAwUBAQgKH2VGAgAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2497,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319070655089,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWnIX9guFwKgBBwBQz9pdV1SucdRxsqAS\/\/+\/OwAAAgQFtAEDAwkEAggKgYtW3h9lRgI="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2499,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_src_last_pkt_time":1484319070656558,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319070656558,"pkt":"gCqoTGHM5JjWH70UCABFAAA0S\/NAAEAGCafAqAEHF\/YLhc\/aAFBx1HGyXVdUr4AQEBXd4QAAAQEICh9lRhWBi1be"} 01383{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2501,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070660268,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":509,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":509,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070660268,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.133","http": {"url":"23.246.11.133\/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10","code":0,"content_type":"","user_agent":"AppleCoreMedia\/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)"}}} -01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2608,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319072360005,"flow_dst_last_pkt_time":1484319072357645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":21986,"midstream":0,"thread_ts_usec":1484319072360005,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3710,"flow_avg":111274.4,"flow_max":530041,"flow_stddev":157680.2,"c_to_s_min":3710,"c_to_s_avg":131415.7,"c_to_s_max":526591,"c_to_s_stddev":174129.7,"s_to_c_min":5405,"s_to_c_avg":95609.0,"s_to_c_max":530041,"s_to_c_stddev":141622.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":142.9,"c_to_s_max":581,"c_to_s_stddev":177.8,"s_to_c_min":74,"s_to_c_avg":1287.9,"s_to_c_max":1514,"s_to_c_stddev":438.4}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2608,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319072360005,"flow_dst_last_pkt_time":1484319072357645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":21986,"midstream":0,"thread_ts_usec":1484319072360005,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3710,"flow_avg":111105.9,"flow_max":530041,"flow_stddev":160200.4,"c_to_s_min":3710,"c_to_s_avg":132563.2,"c_to_s_max":526591,"c_to_s_stddev":180651.9,"s_to_c_min":5405,"s_to_c_avg":95609.0,"s_to_c_max":530041,"s_to_c_stddev":141622.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":142.9,"c_to_s_max":581,"c_to_s_stddev":177.8,"s_to_c_min":74,"s_to_c_avg":1287.9,"s_to_c_max":1514,"s_to_c_stddev":438.4}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4214,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091296070,"flow_dst_last_pkt_time":1484319091296070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319091296070,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4214,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_src_last_pkt_time":1484319091296070,"flow_dst_last_pkt_time":1484319091296070,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319091296070,"pkt":"gCqoTGHM5JjWH70UCABFAABAakNAAEAG60LAqAEHF\/YLjc\/hAFDAgDYQAAAAALAC\/\/\/YUQAAAgQFtAEDAwUBAQgKH2WTUQAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4216,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1484319091296070,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319091309083,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmoX9guNwKgBBwBQz+FsswOfwIA2EaAS\/\/85DQAAAgQFtAEDAwkEAggK\/T5Cox9lk1E="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4217,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_src_last_pkt_time":1484319091310850,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319091310850,"pkt":"gCqoTGHM5JjWH70UCABFAAA00UpAAEAGhEfAqAEHF\/YLjc\/hAFDAgDYRbLMDoIAQEBVXuAAAAQEICh9lk1\/9PkKj"} 01383{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4218,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091314892,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":509,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":509,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319091314892,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8","code":0,"content_type":"","user_agent":"AppleCoreMedia\/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)"}}} -01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4263,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091784359,"flow_dst_last_pkt_time":1484319091750098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":518,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1027,"flow_dst_tot_l4_payload_len":23476,"midstream":0,"thread_ts_usec":1484319091784359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":186,"flow_avg":31547.1,"flow_max":286066,"flow_stddev":49539.5,"c_to_s_min":186,"c_to_s_avg":42729.2,"c_to_s_max":286066,"c_to_s_stddev":72751.9,"s_to_c_min":839,"s_to_c_avg":23896.2,"s_to_c_max":71007,"s_to_c_stddev":19178.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.5,"c_to_s_max":584,"c_to_s_stddev":184.3,"s_to_c_min":74,"s_to_c_avg":1302.0,"s_to_c_max":1514,"s_to_c_stddev":426.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4263,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091784359,"flow_dst_last_pkt_time":1484319091750098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":518,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1027,"flow_dst_tot_l4_payload_len":23476,"midstream":0,"thread_ts_usec":1484319091784359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":186,"flow_avg":30397.3,"flow_max":286066,"flow_stddev":49910.1,"c_to_s_min":186,"c_to_s_avg":40690.8,"c_to_s_max":286066,"c_to_s_stddev":75365.0,"s_to_c_min":839,"s_to_c_avg":23896.2,"s_to_c_max":71007,"s_to_c_stddev":19178.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.5,"c_to_s_max":584,"c_to_s_stddev":184.3,"s_to_c_min":74,"s_to_c_avg":1302.0,"s_to_c_max":1514,"s_to_c_stddev":426.3}},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6397,"source":"netflix.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319114365279,"flow_src_last_pkt_time":1484319114365279,"flow_dst_last_pkt_time":1484319114365279,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319114365279,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51622,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6397,"source":"netflix.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1484319114365279,"flow_dst_last_pkt_time":1484319114365279,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"thread_ts_usec":1484319114365279,"pkt":"gCqoTGHM5JjWH70UCABFAABCZ6UAAEARj63AqAEHwKgBAcmmADUALqajKFkBAAABAAAAAAAAA2lvcwRuY2NwB25ldGZsaXgDY29tAAABAAE="} 01000{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6397,"source":"netflix.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319114365279,"flow_src_last_pkt_time":1484319114365279,"flow_dst_last_pkt_time":1484319114365279,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319114365279,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51622,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -368,7 +368,7 @@ 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6814,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319117827967,"flow_src_last_pkt_time":1484319117892631,"flow_dst_last_pkt_time":1484319117886937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319117892631,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6821,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319117885772,"flow_dst_last_pkt_time":1484319117930548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319117930548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6828,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319117827967,"flow_src_last_pkt_time":1484319117892631,"flow_dst_last_pkt_time":1484319117942410,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319117942410,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6875,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319118140455,"flow_dst_last_pkt_time":1484319118145946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2205,"flow_dst_tot_l4_payload_len":9578,"midstream":0,"thread_ts_usec":1484319118145946,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":140,"flow_avg":22182.4,"flow_max":141407,"flow_stddev":30165.2,"c_to_s_min":402,"c_to_s_avg":24423.6,"c_to_s_max":141407,"c_to_s_stddev":37214.2,"s_to_c_min":140,"s_to_c_avg":19941.2,"s_to_c_max":58570,"s_to_c_stddev":20613.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":204.6,"c_to_s_max":1514,"c_to_s_stddev":360.8,"s_to_c_min":66,"s_to_c_avg":665.1,"s_to_c_max":1514,"s_to_c_stddev":526.0}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} +01479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6875,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319118140455,"flow_dst_last_pkt_time":1484319118145946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2205,"flow_dst_tot_l4_payload_len":9578,"midstream":0,"thread_ts_usec":1484319118145946,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":140,"flow_avg":20407.3,"flow_max":141407,"flow_stddev":28956.2,"c_to_s_min":402,"c_to_s_avg":20904.5,"c_to_s_max":141407,"c_to_s_stddev":35764.3,"s_to_c_min":140,"s_to_c_avg":19941.2,"s_to_c_max":58570,"s_to_c_stddev":20613.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":204.6,"c_to_s_max":1514,"c_to_s_stddev":360.8,"s_to_c_min":66,"s_to_c_avg":665.1,"s_to_c_max":1514,"s_to_c_stddev":526.0}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118629811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":1,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1484319118629811,"pkt":"gCqoTGHM5JjWH70UCABFAABDkmsAAP8RpeXAqAEHwKgBAd8FADUALzVHkfABAAABAAAAAAAABWExOTA3BGRzY2cGYWthbWFpA25ldAAAAQAB"} 00998{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118629811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a1907.dscg.akamai.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -384,10 +384,10 @@ 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6905,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_packet_id":3,"flow_src_last_pkt_time":1484319118675789,"flow_dst_last_pkt_time":1484319118674728,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319118675789,"pkt":"gCqoTGHM5JjWH70UCABFAAA0us1AAEAGOiPAqAEHuBnMCtAEAFDFgkYiq+D9DIAQEBUYOwAAAQEICh9l+cH\/\/WqN"} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6906,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319118676250,"flow_dst_last_pkt_time":1484319118672865,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118676250,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-1.nflximg.net","http": {"url":"art-1.nflximg.net\/4e36d\/6289889020d6cc6dfb3038c35564a41e1ca4e36d.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6908,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118687774,"flow_dst_last_pkt_time":1484319118674728,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118687774,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-1.nflximg.net","http": {"url":"art-1.nflximg.net\/8b1fa\/eaa1b78cd72ca4dbdcab527691d2fcab37c8b1fa.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}} -01210{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":95,"flow_avg":1660988.9,"flow_max":51181934,"flow_stddev":8895028.0,"c_to_s_min":95,"c_to_s_avg":3058241.8,"c_to_s_max":51181934,"c_to_s_stddev":12031367.0,"s_to_c_min":301,"s_to_c_avg":77435.6,"s_to_c_max":500942,"s_to_c_stddev":134218.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":354.7,"c_to_s_max":1514,"c_to_s_stddev":483.8,"s_to_c_min":66,"s_to_c_avg":572.5,"s_to_c_max":1514,"s_to_c_stddev":600.3}}} +01199{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":95,"flow_avg":63539.0,"flow_max":500942,"flow_stddev":121518.7,"c_to_s_min":95,"c_to_s_avg":50510.9,"c_to_s_max":437212,"c_to_s_stddev":106636.0,"s_to_c_min":301,"s_to_c_avg":77435.6,"s_to_c_max":500942,"s_to_c_stddev":134218.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":354.7,"c_to_s_max":1514,"c_to_s_stddev":483.8,"s_to_c_min":66,"s_to_c_avg":572.5,"s_to_c_max":1514,"s_to_c_stddev":600.3}}} 01731{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} -01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6965,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":508,"flow_avg":35868.0,"flow_max":99830,"flow_stddev":21315.9,"c_to_s_min":11985,"c_to_s_avg":36848.2,"c_to_s_max":99830,"c_to_s_stddev":29474.0,"s_to_c_min":508,"s_to_c_avg":35641.8,"s_to_c_max":81106,"s_to_c_stddev":18933.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.8,"c_to_s_max":311,"c_to_s_stddev":89.7,"s_to_c_min":66,"s_to_c_avg":1402.9,"s_to_c_max":1514,"s_to_c_stddev":384.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6990,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":241,"flow_avg":122810.9,"flow_max":1416280,"flow_stddev":335892.5,"c_to_s_min":241,"c_to_s_avg":141258.4,"c_to_s_max":1389753,"c_to_s_stddev":352834.7,"s_to_c_min":268,"s_to_c_avg":108462.9,"s_to_c_max":1416280,"s_to_c_stddev":321368.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.9,"c_to_s_max":311,"c_to_s_stddev":85.4,"s_to_c_min":66,"s_to_c_avg":1310.2,"s_to_c_max":1514,"s_to_c_stddev":473.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6965,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":508,"flow_avg":36240.5,"flow_max":99830,"flow_stddev":21554.2,"c_to_s_min":11985,"c_to_s_avg":39353.6,"c_to_s_max":99830,"c_to_s_stddev":31698.6,"s_to_c_min":508,"s_to_c_avg":35641.8,"s_to_c_max":81106,"s_to_c_stddev":18933.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":110.8,"c_to_s_max":311,"c_to_s_stddev":89.7,"s_to_c_min":66,"s_to_c_avg":1402.9,"s_to_c_max":1514,"s_to_c_stddev":384.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6990,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":241,"flow_avg":126007.9,"flow_max":1416280,"flow_stddev":340787.6,"c_to_s_min":241,"c_to_s_avg":150300.9,"c_to_s_max":1389753,"c_to_s_stddev":364587.3,"s_to_c_min":268,"s_to_c_avg":108462.9,"s_to_c_max":1416280,"s_to_c_stddev":321368.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":101.9,"c_to_s_max":311,"c_to_s_stddev":85.4,"s_to_c_min":66,"s_to_c_avg":1310.2,"s_to_c_max":1514,"s_to_c_stddev":473.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 01036{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":147,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319110605814,"flow_dst_last_pkt_time":1484319110632202,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1427,"flow_dst_tot_l4_payload_len":193037,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00865{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319034890998,"flow_src_last_pkt_time":1484319034890998,"flow_dst_last_pkt_time":1484319034890998,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","l4_proto":2,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118652959,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":71,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":71,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} diff --git a/test/results/nfsv2.pcap.out b/test/results/nfsv2.pcap.out index 2b9c5f35e..fd2508b97 100644 --- a/test/results/nfsv2.pcap.out +++ b/test/results/nfsv2.pcap.out @@ -21,7 +21,7 @@ 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":124,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":124,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338490000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00618{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":944207338490000,"pkt":"AMCV4Bm+AMCV+E3TCABFAAB8jl8AAP8R6naLGRZmixkWAggBA\/8AaNSdXh0LlAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAEHtAAAAAgAAAAAAAAABAAAAYAAAQAAAAAAAAAAAAAAQEIUAALJaOEd1QgAFMCA4R3VCAAd6EDhHdUIAB3oQ"} 00659{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"thread_ts_usec":944207338490000,"pkt":"AMCV+E3TAMCV4Bm+CABFAACYZMcAAP8RE\/OLGRYCixkWZgP\/CAEAhHghXh0LlQAAAAAAAAACAAGGowAAAAIAAAARAAAAAQAAADQ4R3XQAAAACXdlcnJtc2NoZQAAAAAAAAAAAAABAAAABQAAAAEAAAAAAAAAAgAAAAMAAAARAAAAAAAAAAAAEBCFAAAD5wAKAAAAALJaAAAAKQAKAAAAALJaAAAAKQ=="} -01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338580000,"flow_dst_last_pkt_time":944207338580000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":128,"flow_src_tot_l4_payload_len":2168,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":944207338580000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10000,"flow_avg":16923.1,"flow_max":40000,"flow_stddev":12639.8,"c_to_s_min":10000,"c_to_s_avg":18571.4,"c_to_s_max":40000,"c_to_s_stddev":13552.6,"s_to_c_min":10000,"s_to_c_avg":15000.0,"s_to_c_max":40000,"s_to_c_stddev":11180.3},"pktlen": {"c_to_s_min":166,"c_to_s_avg":177.5,"c_to_s_max":214,"c_to_s_stddev":14.4,"s_to_c_min":70,"s_to_c_avg":117.5,"s_to_c_max":170,"s_to_c_stddev":41.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338580000,"flow_dst_last_pkt_time":944207338580000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":128,"flow_src_tot_l4_payload_len":2168,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":944207338580000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10000,"flow_avg":15000.0,"flow_max":40000,"flow_stddev":11180.3,"c_to_s_min":10000,"c_to_s_avg":15000.0,"c_to_s_max":40000,"c_to_s_stddev":11180.3,"s_to_c_min":10000,"s_to_c_avg":15000.0,"s_to_c_max":40000,"s_to_c_stddev":11180.3},"pktlen": {"c_to_s_min":166,"c_to_s_avg":177.5,"c_to_s_max":214,"c_to_s_stddev":14.4,"s_to_c_min":70,"s_to_c_avg":117.5,"s_to_c_max":170,"s_to_c_stddev":41.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338880000,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338880000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3293,"dst_port":111,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":944207338880000,"pkt":"AMCV+E3TAMCV4Bm+CABFAABcZRAAAEAR0uaLGRYCixkWZgzdAG8ASKDlOErjjgAAAAAAAAACAAGGoAAAAAMAAAADAAAAAAAAAAAAAAAAAAAAAAABhqUAAAABAAAAA3VkcAAAAAAAAAAAAA=="} 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338880000,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338880000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3293,"dst_port":111,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} diff --git a/test/results/nfsv3.pcap.out b/test/results/nfsv3.pcap.out index ab4a620a1..434afd3a7 100644 --- a/test/results/nfsv3.pcap.out +++ b/test/results/nfsv3.pcap.out @@ -25,7 +25,7 @@ 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397400000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":944207397400000,"pkt":"AMCV4Bm+AMCV+E3TCABFAACM5FMAAP8RlHKLGRZmixkWAggBA\/4AeFlmXh0L3AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAEHtAAAAAgAAAAAAAAABAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEIUAAAAAAACyWjhHdgwUQ\/0COEd16jDgNQI4R3XqMOA1Ag=="} 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":944207397400000,"pkt":"AMCV+E3TAMCV4Bm+CABFAACcZUIAAP8RE3SLGRYCixkWZgP+CAEAiHd0Xh0L3QAAAAAAAAACAAGGowAAAAMAAAATAAAAAQAAADQ4R3YLAAAACXdlcnJtc2NoZQAAAAAAAAAAAAABAAAABQAAAAEAAAAAAAAAAgAAAAMAAAARAAAAAAAAAAAAAAAgABAQhQAAA+cACgAAAACyWgAAACkACgAAAACyWgAAACk="} -01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397500000,"flow_dst_last_pkt_time":944207397500000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":2256,"flow_dst_tot_l4_payload_len":2044,"midstream":0,"thread_ts_usec":944207397500000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10000,"flow_avg":20769.2,"flow_max":70000,"flow_stddev":20176.7,"c_to_s_min":10000,"c_to_s_avg":24285.7,"c_to_s_max":70000,"c_to_s_stddev":23211.5,"s_to_c_min":10000,"s_to_c_avg":16666.7,"s_to_c_max":50000,"s_to_c_stddev":14907.1},"pktlen": {"c_to_s_min":170,"c_to_s_avg":183.0,"c_to_s_max":226,"c_to_s_stddev":17.6,"s_to_c_min":74,"s_to_c_avg":169.8,"s_to_c_max":314,"s_to_c_stddev":87.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397500000,"flow_dst_last_pkt_time":944207397500000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":2256,"flow_dst_tot_l4_payload_len":2044,"midstream":0,"thread_ts_usec":944207397500000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10000,"flow_avg":16666.7,"flow_max":50000,"flow_stddev":14907.1,"c_to_s_min":10000,"c_to_s_avg":16666.7,"c_to_s_max":50000,"c_to_s_stddev":14907.1,"s_to_c_min":10000,"s_to_c_avg":16666.7,"s_to_c_max":50000,"s_to_c_stddev":14907.1},"pktlen": {"c_to_s_min":170,"c_to_s_avg":183.0,"c_to_s_max":226,"c_to_s_stddev":17.6,"s_to_c_min":74,"s_to_c_avg":169.8,"s_to_c_max":314,"s_to_c_stddev":87.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397740000,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397740000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3299,"dst_port":111,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":944207397740000,"pkt":"AMCV+E3TAMCV4Bm+CABFAABcZXwAAEAR0nqLGRYCixkWZgzjAG8ASDjzOExLeQAAAAAAAAACAAGGoAAAAAMAAAADAAAAAAAAAAAAAAAAAAAAAAABhqUAAAABAAAAA3VkcAAAAAAAAAAAAA=="} 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397740000,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397740000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3299,"dst_port":111,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} diff --git a/test/results/nintendo.pcap.out b/test/results/nintendo.pcap.out index 05da8fe1a..90d6b1531 100644 --- a/test/results/nintendo.pcap.out +++ b/test/results/nintendo.pcap.out @@ -25,7 +25,7 @@ 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731323269434,"flow_src_last_pkt_time":1500731323269434,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731323269434,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1500731323270842,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731323270842,"pkt":"AA6OGXEMfLuKifuECABFAABoEWAAAEARLjDAqAxyI55KPcuXgjcAVAoAMquYZAIAAACgRQAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjfL9\/FaWie4QujpeJZMzmHA=="} 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1500731323270871,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731323270871,"pkt":"AA6OGXEMfLuKifuECABFAABoEWEAAEARLi\/AqAxyI55KPcuXgjcAVCUqMquYZAIAAACgRgAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjeofEEG4mAZPKsmIYZ3XQPw=="} -01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":69,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1500731320644357,"flow_src_last_pkt_time":1500731323575958,"flow_dst_last_pkt_time":1500731323714896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":812,"flow_src_tot_l4_payload_len":1264,"flow_dst_tot_l4_payload_len":2736,"midstream":0,"thread_ts_usec":1500731323714896,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"91.8.243.35","src_port":52119,"dst_port":49432,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":53,"flow_avg":32310846.0,"flow_max":1027944949,"flow_stddev":178821472.0,"c_to_s_min":233,"c_to_s_avg":64429784.0,"c_to_s_max":1027944949,"c_to_s_stddev":248778624.0,"s_to_c_min":53,"s_to_c_avg":191908.7,"s_to_c_max":1729670,"s_to_c_stddev":415946.6},"pktlen": {"c_to_s_min":102,"c_to_s_avg":121.0,"c_to_s_max":230,"c_to_s_stddev":31.1,"s_to_c_min":102,"s_to_c_avg":213.0,"s_to_c_max":854,"s_to_c_stddev":243.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":69,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1500731320644357,"flow_src_last_pkt_time":1500731323575958,"flow_dst_last_pkt_time":1500731323714896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":812,"flow_src_tot_l4_payload_len":1264,"flow_dst_tot_l4_payload_len":2736,"midstream":0,"thread_ts_usec":1500731323714896,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"91.8.243.35","src_port":52119,"dst_port":49432,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":53,"flow_avg":193617.4,"flow_max":1729670,"flow_stddev":331922.2,"c_to_s_min":233,"c_to_s_avg":195440.1,"c_to_s_max":514446,"c_to_s_stddev":207695.4,"s_to_c_min":53,"s_to_c_avg":191908.7,"s_to_c_max":1729670,"s_to_c_stddev":415946.6},"pktlen": {"c_to_s_min":102,"c_to_s_avg":121.0,"c_to_s_max":230,"c_to_s_stddev":31.1,"s_to_c_min":102,"s_to_c_avg":213.0,"s_to_c_max":854,"s_to_c_stddev":243.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731326270619,"flow_src_last_pkt_time":1500731326270619,"flow_dst_last_pkt_time":1500731326270619,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":688,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":688,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":688,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731326270619,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1500731326270619,"flow_dst_last_pkt_time":1500731326270619,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":730,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":730,"pkt_l4_len":696,"thread_ts_usec":1500731326270619,"pkt":"AA6OGXEMfLuKifuECABFAALMEW8AAEARl9zAqAxyNArNscuXhicCuLNGMquYZAEAAACsAAAACAICgAAAAAAAZU1IgACGJwAAAAAPAfz\/AmL\/\/\/\/\/\/\/\/\/\/\/\/\/DNhnHrgUDeqh96EJudpqr7HTWmwuyiNXAoN8EJ3L9Q9BYy53b12QoycQBbgF0+MGumCDqya3DRDi\/FgfUDp8jmtF0eLtdJawWMd0Uh7gRi0nJAedvr+L4LDG+1PkKHdQjXkwcc63uSwXLbhZGs5rZ8pLuCki3H7JLOG5CI96WiAzLSOgOT5MmMOkBR9lHnUbly8I57OvnsPjzu2ZoGj750rOuJoq4PDp+HTtcuUkR\/yuCERU5DE5fS3WD79Od2EljENI\/Aj0rbyEoWaVKXUGbMeIN\/PHtUKEKwxkiH\/DZpj\/dOZVZle2A+wpaUtVb5Kkq8m0M0sj8U0Nr8\/f9iy5nCcQHobd29hf9qcfXx\/tCnteI0cP0tyykizOxpnlPK2I0STXsPD0wxOnU\/OOfu8Wm3V94s2PEbCeAbRx8PvXHbjtAm8AnmQMBMeFM6TQwwpijOYTfaXxrgmiFU\/AHPdepp0ILcWD5QSKt4MWDsJ\/eC61SjGvCVRvXn2JW5KB\/4JQcfZHw4S\/auTmIFCllOyidDXFohQ4NU8A9vt0e5qrI\/cou3U09qQhgu6ncsvX+jQusCyJhx1EpdaFLaOseb4xo0IjeHtTg5uKzMiP+l3dg6BJfcICpsS0fKy4Lvcxzq4iHlV\/CkZw5k\/5qPEe1WClYIIYAQ1QuHKqZOMgl0qEP1biit38pQoNuI5A\/WZ4yptUyrSpaVacwxp5yZkU47ddcg7lId\/wkwQjzVN9BmlVIcEupSyiP64T8RypU57m5OsmKDUV8cUXr\/nGnwi\/96TbsG+A6i29VkTJzG6j04DbRd\/2rnSbi4lJUC2\/\/AUQQJGvBPVxZ\/JcWHrRv6UUWsmJyg=="} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":89,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731326599476,"flow_src_last_pkt_time":1500731326599476,"flow_dst_last_pkt_time":1500731326599476,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731326599476,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":18874,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -77,7 +77,7 @@ 01200{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":156,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341241134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731341246098,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01260{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341285479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":1348,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":1348,"midstream":0,"thread_ts_usec":1500731341285479,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01681{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341285901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":1348,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":2696,"midstream":0,"thread_ts_usec":1500731341285901,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}}} -01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1500731322454625,"flow_src_last_pkt_time":1500731342015923,"flow_dst_last_pkt_time":1500731342041758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":1094,"midstream":1,"thread_ts_usec":1500731342041758,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":1238082.4,"flow_max":14019058,"flow_stddev":3391520.2,"c_to_s_min":43,"c_to_s_avg":1054289.6,"c_to_s_max":14019058,"c_to_s_stddev":3148624.8,"s_to_c_min":4335,"s_to_c_avg":1506702.5,"s_to_c_max":13944464,"s_to_c_stddev":3701708.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":123.4,"c_to_s_max":400,"c_to_s_stddev":76.9,"s_to_c_min":66,"s_to_c_avg":150.2,"s_to_c_max":471,"s_to_c_stddev":121.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1500731322454625,"flow_src_last_pkt_time":1500731342015923,"flow_dst_last_pkt_time":1500731342041758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":1094,"midstream":1,"thread_ts_usec":1500731342041758,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":1262852.6,"flow_max":14019058,"flow_stddev":3442938.0,"c_to_s_min":43,"c_to_s_avg":1086738.8,"c_to_s_max":14019058,"c_to_s_stddev":3231810.8,"s_to_c_min":4335,"s_to_c_avg":1506702.5,"s_to_c_max":13944464,"s_to_c_stddev":3701708.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":123.4,"c_to_s_max":400,"c_to_s_stddev":76.9,"s_to_c_min":66,"s_to_c_avg":150.2,"s_to_c_max":471,"s_to_c_stddev":121.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731342849734,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731342849734,"pkt":"AA6OGXEMfLuKifuECABFAABoEaUAAAQRdQ7AqAxyuXapQdpra4AAVCIdMquYZAIAAADswAAAiVxWTHQXYLkMmEhv3TFhCo9D90XwqWXbgOlZDx\/Hd+4rX5hDUY6wfFQBAZE4XnJazusJzbVQnhevgQppjVzdvQ=="} 00863{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731342849734,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} @@ -103,9 +103,9 @@ 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731343274328,"flow_src_last_pkt_time":1500731343274328,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731343274328,"l3_proto":"ip4","src_ip":"151.6.184.98","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":227,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1500731343274498,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1500731343274498,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsAs38AAAAARQAAaBG2AAABEertwKgMclE9noraa8o5AFSchg=="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1500731343274660,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1500731343274660,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsA7ykAAAAARQAAaBG3AAABEerswKgMclE9noraa8o5AFRg3A=="} -01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":310,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731344006747,"flow_dst_last_pkt_time":1500731344120690,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2472,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344120690,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":94392.2,"flow_max":754134,"flow_stddev":174823.5,"c_to_s_min":183,"c_to_s_avg":79527.0,"c_to_s_max":592582,"c_to_s_stddev":145952.9,"s_to_c_min":25,"s_to_c_avg":127095.6,"s_to_c_max":754134,"s_to_c_stddev":222220.0},"pktlen": {"c_to_s_min":102,"c_to_s_avg":154.4,"c_to_s_max":886,"c_to_s_stddev":160.3,"s_to_c_min":102,"s_to_c_avg":198.0,"s_to_c_max":886,"s_to_c_stddev":230.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731343061460,"flow_src_last_pkt_time":1500731344751616,"flow_dst_last_pkt_time":1500731344671142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":4168,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344751616,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":103144.8,"flow_max":757918,"flow_stddev":186324.0,"c_to_s_min":216,"c_to_s_avg":76861.4,"c_to_s_max":607064,"c_to_s_stddev":144756.9,"s_to_c_min":67,"s_to_c_avg":160968.2,"s_to_c_max":757918,"s_to_c_stddev":245213.8},"pktlen": {"c_to_s_min":102,"c_to_s_avg":231.5,"c_to_s_max":886,"c_to_s_stddev":231.8,"s_to_c_min":102,"s_to_c_avg":198.0,"s_to_c_max":886,"s_to_c_stddev":230.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1500731343266581,"flow_src_last_pkt_time":1500731344811760,"flow_dst_last_pkt_time":1500731344805333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2304,"flow_dst_tot_l4_payload_len":1712,"midstream":0,"thread_ts_usec":1500731344811760,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":137,"flow_avg":96394.1,"flow_max":649265,"flow_stddev":181677.9,"c_to_s_min":137,"c_to_s_avg":77293.0,"c_to_s_max":649265,"c_to_s_stddev":158498.3,"s_to_c_min":435,"s_to_c_avg":128229.3,"s_to_c_max":629371,"s_to_c_stddev":211014.6},"pktlen": {"c_to_s_min":102,"c_to_s_avg":157.2,"c_to_s_max":886,"c_to_s_stddev":167.9,"s_to_c_min":102,"s_to_c_avg":184.7,"s_to_c_max":886,"s_to_c_stddev":212.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":310,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731344006747,"flow_dst_last_pkt_time":1500731344120690,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2472,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344120690,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":78321.6,"flow_max":754134,"flow_stddev":152593.1,"c_to_s_min":183,"c_to_s_avg":55095.9,"c_to_s_max":311877,"c_to_s_stddev":95839.6,"s_to_c_min":25,"s_to_c_avg":127095.6,"s_to_c_max":754134,"s_to_c_stddev":222220.0},"pktlen": {"c_to_s_min":102,"c_to_s_avg":154.4,"c_to_s_max":886,"c_to_s_stddev":160.3,"s_to_c_min":102,"s_to_c_avg":198.0,"s_to_c_max":886,"s_to_c_stddev":230.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731343061460,"flow_src_last_pkt_time":1500731344751616,"flow_dst_last_pkt_time":1500731344671142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":4168,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344751616,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":106446.4,"flow_max":757918,"flow_stddev":188381.8,"c_to_s_min":216,"c_to_s_avg":80483.6,"c_to_s_max":607064,"c_to_s_stddev":147186.1,"s_to_c_min":67,"s_to_c_avg":160968.2,"s_to_c_max":757918,"s_to_c_stddev":245213.8},"pktlen": {"c_to_s_min":102,"c_to_s_avg":231.5,"c_to_s_max":886,"c_to_s_stddev":231.8,"s_to_c_min":102,"s_to_c_avg":198.0,"s_to_c_max":886,"s_to_c_stddev":230.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1500731343266581,"flow_src_last_pkt_time":1500731344811760,"flow_dst_last_pkt_time":1500731344805333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2304,"flow_dst_tot_l4_payload_len":1712,"midstream":0,"thread_ts_usec":1500731344811760,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":137,"flow_avg":99481.6,"flow_max":649265,"flow_stddev":183756.7,"c_to_s_min":137,"c_to_s_avg":81325.2,"c_to_s_max":649265,"c_to_s_stddev":161612.9,"s_to_c_min":435,"s_to_c_avg":128229.3,"s_to_c_max":629371,"s_to_c_stddev":211014.6},"pktlen": {"c_to_s_min":102,"c_to_s_avg":157.2,"c_to_s_max":886,"c_to_s_stddev":167.9,"s_to_c_min":102,"s_to_c_avg":184.7,"s_to_c_max":886,"s_to_c_stddev":212.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00881{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1500731340831670,"flow_src_last_pkt_time":1500731340837106,"flow_dst_last_pkt_time":1500731340889684,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":16,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"AmazonAWS","proto_id":"265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00765{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1500731340831670,"flow_src_last_pkt_time":1500731340837106,"flow_dst_last_pkt_time":1500731340889684,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":16,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00908{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1500731341194858,"flow_src_last_pkt_time":1500731341194858,"flow_dst_last_pkt_time":1500731341194969,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":239,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":51035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Nintendo","proto_id":"5.173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} diff --git a/test/results/nntp.pcap.out b/test/results/nntp.pcap.out index 82bc5ad2c..5c0f0f7a5 100644 --- a/test/results/nntp.pcap.out +++ b/test/results/nntp.pcap.out @@ -5,7 +5,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1258844926423672,"flow_dst_last_pkt_time":1258844926423829,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1258844926423829,"pkt":"ABQqM3R+AEBj1fcCCABFAAA8AABAAEAGPVHAqL4FwKi+FAB32U6dVo1l2dJVlaASFqBxAwAAAgQFtAQCCAoKz1tgAMgoAwEDAwQ="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1258844926423850,"flow_dst_last_pkt_time":1258844926423829,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1258844926423850,"pkt":"AEBj1fcCABQqM3R+CABFAAA0fZhAAEAGv8DAqL4UwKi+BdlOAHfZ0lWVnVaNZoAQAFy2EAAAAQEICgDIKAMKz1tg"} 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844926441100,"flow_dst_last_pkt_time":1258844926440830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":124,"flow_src_tot_l4_payload_len":13,"flow_dst_tot_l4_payload_len":124,"midstream":0,"thread_ts_usec":1258844926441100,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":29,"flow_avg":94737216.0,"flow_max":2896867688,"flow_stddev":503335776.0,"c_to_s_min":29,"c_to_s_avg":156012080.0,"c_to_s_max":2896867688,"c_to_s_stddev":646065728.0,"s_to_c_min":95,"s_to_c_avg":5181656.5,"s_to_c_max":25684268,"s_to_c_stddev":8244534.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":71.7,"c_to_s_max":97,"c_to_s_stddev":10.0,"s_to_c_min":66,"s_to_c_avg":436.5,"s_to_c_max":1514,"s_to_c_stddev":556.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01347{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":29,"flow_avg":4345908.0,"flow_max":25684268,"flow_stddev":7782391.0,"c_to_s_min":29,"c_to_s_avg":3742312.0,"c_to_s_max":25683555,"c_to_s_stddev":7372077.0,"s_to_c_min":95,"s_to_c_avg":5181656.5,"s_to_c_max":25684268,"s_to_c_stddev":8244534.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":71.7,"c_to_s_max":97,"c_to_s_stddev":10.0,"s_to_c_min":66,"s_to_c_avg":436.5,"s_to_c_max":1514,"s_to_c_stddev":556.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00904{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":4921,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1258844993785292} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121467/121467 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1363 chars -~~ json string avg len.......: 883 chars +~~ json string max len.......: 1352 chars +~~ json string avg len.......: 878 chars diff --git a/test/results/no_sni.pcap.out b/test/results/no_sni.pcap.out index 7227aa8ef..404299804 100644 --- a/test/results/no_sni.pcap.out +++ b/test/results/no_sni.pcap.out @@ -13,12 +13,12 @@ 01149{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444629799,"flow_dst_last_pkt_time":1604822444807971,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":682,"midstream":0,"thread_ts_usec":1604822444807971,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.3","ja3":"f14ec85ee5580a29f6523e24e5d3d527","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822444913120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822444913120,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822444913120,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1604822444913120,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGlCjAqAF3aBB8YMmcAbs\/DuN6AAAAALAC\/\/+FPgAAAgQFtAEDAwYBAQgKKlLy+gAAAAAEAgAA"} -01339{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444918595,"flow_dst_last_pkt_time":1604822444918472,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":1416,"midstream":0,"thread_ts_usec":1604822444918595,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":27341.0,"flow_max":180261,"flow_stddev":53202.1,"c_to_s_min":62,"c_to_s_avg":26068.9,"c_to_s_max":178242,"c_to_s_stddev":51821.9,"s_to_c_min":4,"s_to_c_avg":28782.7,"s_to_c_max":180261,"s_to_c_stddev":54688.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":131.6,"c_to_s_max":670,"c_to_s_stddev":144.9,"s_to_c_min":60,"s_to_c_avg":152.0,"s_to_c_max":736,"s_to_c_stddev":182.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +01339{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444918595,"flow_dst_last_pkt_time":1604822444918472,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":1416,"midstream":0,"thread_ts_usec":1604822444918595,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":27858.2,"flow_max":180261,"flow_stddev":53974.2,"c_to_s_min":62,"c_to_s_avg":26991.5,"c_to_s_max":178242,"c_to_s_stddev":53281.2,"s_to_c_min":4,"s_to_c_avg":28782.7,"s_to_c_max":180261,"s_to_c_stddev":54688.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":131.6,"c_to_s_max":670,"c_to_s_stddev":144.9,"s_to_c_min":60,"s_to_c_avg":152.0,"s_to_c_max":736,"s_to_c_stddev":182.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1604822445034293,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADkGmzRoEHxgwKgBdwG7yZyEa\/jPPw7je4AS\/\/9djQAAAgQFeAEBBAIBAwMK"} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1604822445034393,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1604822445034393,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGlEDAqAF3aBB8YMmcAbs\/DuN7hGv40FAQEACOJgAA"} 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445039824,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":947,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822445039824,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445039824,"flow_dst_last_pkt_time":1604822445135087,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":232,"flow_src_tot_l4_payload_len":947,"flow_dst_tot_l4_payload_len":232,"midstream":0,"thread_ts_usec":1604822445135087,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":73,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445694881,"flow_dst_last_pkt_time":1604822445694834,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2075,"flow_dst_tot_l4_payload_len":8322,"midstream":0,"thread_ts_usec":1604822445694881,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":120,"flow_avg":48937.9,"flow_max":472643,"flow_stddev":105675.0,"c_to_s_min":120,"c_to_s_avg":49018.6,"c_to_s_max":472643,"c_to_s_stddev":115642.4,"s_to_c_min":182,"s_to_c_avg":48857.1,"s_to_c_max":380381,"s_to_c_stddev":94663.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":185.2,"c_to_s_max":1001,"c_to_s_stddev":295.9,"s_to_c_min":60,"s_to_c_avg":576.8,"s_to_c_max":1514,"s_to_c_stddev":561.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":73,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445694881,"flow_dst_last_pkt_time":1604822445694834,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2075,"flow_dst_tot_l4_payload_len":8322,"midstream":0,"thread_ts_usec":1604822445694881,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":120,"flow_avg":50434.7,"flow_max":472643,"flow_stddev":107031.5,"c_to_s_min":120,"c_to_s_avg":52117.4,"c_to_s_max":472643,"c_to_s_stddev":118790.0,"s_to_c_min":182,"s_to_c_avg":48857.1,"s_to_c_max":380381,"s_to_c_stddev":94663.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":185.2,"c_to_s_max":1001,"c_to_s_stddev":295.9,"s_to_c_min":60,"s_to_c_avg":576.8,"s_to_c_max":1514,"s_to_c_stddev":561.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822447227531,"flow_src_last_pkt_time":1604822447227531,"flow_dst_last_pkt_time":1604822447227531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822447227531,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1604822447227531,"flow_dst_last_pkt_time":1604822447227531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1604822447227531,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGSmLAqAF3aBHGJcmzAbtjbUROAAAAALAC\/\/+t4gAAAgQFtAEDAwYBAQgKKlL7RgAAAAAEAgAA"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":789,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822447249969,"flow_src_last_pkt_time":1604822447249969,"flow_dst_last_pkt_time":1604822447249969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822447249969,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -49,7 +49,7 @@ 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":944,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447374307,"flow_dst_last_pkt_time":1604822447500011,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447500011,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":948,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287617,"flow_src_last_pkt_time":1604822447380742,"flow_dst_last_pkt_time":1604822447506495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447506495,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":952,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287254,"flow_src_last_pkt_time":1604822447386869,"flow_dst_last_pkt_time":1604822447515088,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447515088,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1051,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447783794,"flow_dst_last_pkt_time":1604822447783495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5882,"midstream":0,"thread_ts_usec":1604822447783794,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":31051.0,"flow_max":143742,"flow_stddev":42722.0,"c_to_s_min":91,"c_to_s_avg":27619.3,"c_to_s_max":126443,"c_to_s_stddev":36594.9,"s_to_c_min":23,"s_to_c_avg":35463.1,"s_to_c_max":143742,"s_to_c_stddev":49146.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":136.7,"c_to_s_max":766,"c_to_s_stddev":172.6,"s_to_c_min":60,"s_to_c_avg":476.3,"s_to_c_max":1514,"s_to_c_stddev":529.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1051,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447783794,"flow_dst_last_pkt_time":1604822447783495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5882,"midstream":0,"thread_ts_usec":1604822447783794,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":32040.9,"flow_max":143742,"flow_stddev":43042.9,"c_to_s_min":91,"c_to_s_avg":29222.5,"c_to_s_max":126443,"c_to_s_stddev":37036.4,"s_to_c_min":23,"s_to_c_avg":35463.1,"s_to_c_max":143742,"s_to_c_stddev":49146.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":136.7,"c_to_s_max":766,"c_to_s_stddev":172.6,"s_to_c_min":60,"s_to_c_avg":476.3,"s_to_c_max":1514,"s_to_c_stddev":529.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00922{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447785923,"flow_dst_last_pkt_time":1604822447869770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5913,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":10,"flow_first_seen":1604822447287254,"flow_src_last_pkt_time":1604822447844256,"flow_dst_last_pkt_time":1604822447844195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":3333,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":10,"flow_first_seen":1604822447287617,"flow_src_last_pkt_time":1604822447839595,"flow_dst_last_pkt_time":1604822447839532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":3333,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/ocs.pcap.out b/test/results/ocs.pcap.out index e7cec189f..476c45efb 100644 --- a/test/results/ocs.pcap.out +++ b/test/results/ocs.pcap.out @@ -59,7 +59,7 @@ 01150{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":59,"source":"ocs.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":0,"flow_first_seen":1449652788109953,"flow_src_last_pkt_time":1449652788195073,"flow_dst_last_pkt_time":1449652788109953,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652788195073,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":36680,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.OCS","proto_id":"91.218","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"ocs.labgency.ws","tls": {"version":"TLSv1","ja3":"0534a22b266a64a5cc9a90f7b5c483cc","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1449652788595794,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652788595794,"pkt":"RQAAPDy5QABABnycwKi0AomHgzS0VhQCr\/++QwAAAACgAjkI02AAAAIEBbQEAggKADWDYAAAAAABAwMG"} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1449652790602154,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652790602154,"pkt":"RQAAPDy6QABABnybwKi0AomHgzS0VhQCr\/++QwAAAACgAjkI0pgAAAIEBbQEAggKADWEKAAAAAABAwMG"} -01308{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"ocs.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652787983929,"flow_src_last_pkt_time":1449652790713183,"flow_dst_last_pkt_time":1449652787983929,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":663,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652790713183,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":49881,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":450,"flow_avg":98161.1,"flow_max":928563,"flow_stddev":178992.5,"c_to_s_min":450,"c_to_s_avg":98161.1,"c_to_s_max":928563,"c_to_s_stddev":178992.5,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":52,"c_to_s_avg":83.1,"c_to_s_max":715,"c_to_s_stddev":113.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01308{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"ocs.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652787983929,"flow_src_last_pkt_time":1449652790713183,"flow_dst_last_pkt_time":1449652787983929,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":663,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652790713183,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":49881,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":450,"flow_avg":88040.5,"flow_max":928563,"flow_stddev":172609.9,"c_to_s_min":450,"c_to_s_avg":88040.5,"c_to_s_max":928563,"c_to_s_stddev":172609.9,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":52,"c_to_s_avg":83.1,"c_to_s_max":715,"c_to_s_stddev":113.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"ocs.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1449652792355546,"flow_dst_last_pkt_time":1449652784341686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652792355546,"pkt":"RQAAPKb0QABABiV3wKi0AkDpuLy6UxRsAv3YCQAAAACgAjkIcdQAAAIEBbQEAggKADWE2AAAAAABAwMG"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":241,"source":"ocs.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1449652797357367,"flow_src_last_pkt_time":1449652797357367,"flow_dst_last_pkt_time":1449652797357367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652797357367,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"64.233.184.188","src_port":32946,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":241,"source":"ocs.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1449652797357367,"flow_dst_last_pkt_time":1449652797357367,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652797357367,"pkt":"RQAAPAMUQABABslXwKi0AkDpuLyAsgG7QZiF2AAAAACgAjkIz8gAAAIEBbQEAggKADWGzAAAAAABAwMG"} @@ -82,7 +82,7 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":865,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1449652842700226,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":52,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":52,"pkt_l4_len":32,"thread_ts_usec":1449652842700226,"pkt":"RQAAND8aQABABgM0wKi0ArL40NKmXgBQrzCnZDkypeeAEADlhQYAAAEBCAoANZiCGkFpBQ=="} 00708{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":866,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1449652842701752,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":204,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":204,"pkt_l4_len":184,"thread_ts_usec":1449652842701752,"pkt":"RQAAzD8bQABABgKbwKi0ArL40NKmXgBQrzCnZDkypeeAGADlkB4AAAEBCAoANZiCGkFpBUdFVCAvZGF0YV9wbGF0ZWZvcm1lL3Byb2dyYW0vMTg0OTYvdHZfZGV0YWlsX21vcnRkdW5wb3VydzAwMTIyMzZfNzJmNmMuanBnIEhUVFAvMS4xDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCkhvc3Q6IHd3dy5vY3MuZnINCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0K"} 01030{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":866,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652842701752,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652842701752,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.ocs.fr","http": {"url":"www.ocs.fr\/data_plateforme\/program\/18496\/tv_detail_mortdunpourw0012236_72f6c.jpg","code":0,"content_type":"","user_agent":""}}} -01310{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652843470951,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652843470951,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":77,"flow_avg":141245.6,"flow_max":3677735,"flow_stddev":635839.6,"c_to_s_min":77,"c_to_s_avg":141245.6,"c_to_s_max":3677735,"c_to_s_stddev":635839.6,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":52,"c_to_s_avg":63.9,"c_to_s_max":204,"c_to_s_stddev":26.3,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01302{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652843470951,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652843470951,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":77,"flow_avg":27165.3,"flow_max":79495,"flow_stddev":29589.7,"c_to_s_min":77,"c_to_s_avg":27165.3,"c_to_s_max":79495,"c_to_s_stddev":29589.7,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":52,"c_to_s_avg":63.9,"c_to_s_max":204,"c_to_s_stddev":26.3,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652846380718,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":156,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":308,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00756{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":0,"flow_first_seen":1449652786395470,"flow_src_last_pkt_time":1449652787578542,"flow_dst_last_pkt_time":1449652786395470,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":84,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"137.135.129.206","src_port":44959,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3} 00867{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":0,"flow_first_seen":1449652787596837,"flow_src_last_pkt_time":1449652818681770,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"137.135.131.52","src_port":46166,"dst_port":5122,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Azure","proto_id":"276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} diff --git a/test/results/ocsp.pcapng.out b/test/results/ocsp.pcapng.out index 6a4a2259b..53265353a 100644 --- a/test/results/ocsp.pcapng.out +++ b/test/results/ocsp.pcapng.out @@ -17,8 +17,8 @@ 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1623222785863296,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623222785875339,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADgGxC5cel\/rwKgBgABQqtACFmIrx0ULW6AScSDxGwAAAgQFtAQCCAqrs6x4tFZ4oAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8kYB7"} 00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1623222785879381,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623222785879381,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0JGJAAEAGl9TAqAGAXHpf66rQAFDHRQtbAhZiLIAQAfaPAgAAAQEICrRWeLCrs6x4GYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcxJlyw=="} 01122{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222785879661,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623222785879661,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"r3.o.lencr.org","http": {"url":"r3.o.lencr.org\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} -01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":70,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222699655905,"flow_src_last_pkt_time":1623222817722827,"flow_dst_last_pkt_time":1623222807485567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":394,"flow_dst_max_l4_payload_len":702,"flow_src_tot_l4_payload_len":788,"flow_dst_tot_l4_payload_len":1404,"midstream":0,"thread_ts_usec":1623222817722827,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3376,"flow_avg":52004692.0,"flow_max":1386248778,"flow_stddev":243634768.0,"c_to_s_min":7013,"c_to_s_avg":94019728.0,"c_to_s_max":1386248778,"c_to_s_stddev":333675264.0,"s_to_c_min":3376,"s_to_c_avg":7188644.5,"s_to_c_max":10242877,"s_to_c_stddev":4448089.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":164.8,"c_to_s_max":512,"c_to_s_stddev":126.8,"s_to_c_min":118,"s_to_c_avg":212.1,"s_to_c_max":820,"s_to_c_stddev":238.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":13,"category":"Cloud"}} -01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":105,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222906298417,"flow_dst_last_pkt_time":1623222896069773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":889,"flow_src_tot_l4_payload_len":772,"flow_dst_tot_l4_payload_len":1778,"midstream":0,"thread_ts_usec":1623222906298417,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":280,"flow_avg":7492375.5,"flow_max":10244049,"flow_stddev":4339155.5,"c_to_s_min":280,"c_to_s_avg":7620561.0,"c_to_s_max":10244027,"c_to_s_stddev":4241778.5,"s_to_c_min":1344,"s_to_c_avg":7347098.5,"s_to_c_max":10244049,"s_to_c_stddev":4442471.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":163.9,"c_to_s_max":504,"c_to_s_stddev":124.2,"s_to_c_min":118,"s_to_c_avg":237.1,"s_to_c_max":1007,"s_to_c_stddev":302.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":70,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222699655905,"flow_src_last_pkt_time":1623222817722827,"flow_dst_last_pkt_time":1623222807485567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":394,"flow_dst_max_l4_payload_len":702,"flow_src_tot_l4_payload_len":788,"flow_dst_tot_l4_payload_len":1404,"midstream":0,"thread_ts_usec":1623222817722827,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3376,"flow_avg":7529886.0,"flow_max":10243102,"flow_stddev":4272061.0,"c_to_s_min":7013,"c_to_s_avg":7871128.0,"c_to_s_max":10243102,"c_to_s_stddev":4059877.2,"s_to_c_min":3376,"s_to_c_avg":7188644.5,"s_to_c_max":10242877,"s_to_c_stddev":4448089.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":164.8,"c_to_s_max":512,"c_to_s_stddev":126.8,"s_to_c_min":118,"s_to_c_avg":212.1,"s_to_c_max":820,"s_to_c_stddev":238.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":13,"category":"Cloud"}} +01361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":105,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222906298417,"flow_dst_last_pkt_time":1623222896069773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":889,"flow_src_tot_l4_payload_len":772,"flow_dst_tot_l4_payload_len":1778,"midstream":0,"thread_ts_usec":1623222906298417,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":280,"flow_avg":7440051.5,"flow_max":10244049,"flow_stddev":4398639.5,"c_to_s_min":280,"c_to_s_avg":7527195.0,"c_to_s_max":10244027,"c_to_s_stddev":4355346.5,"s_to_c_min":1344,"s_to_c_avg":7347098.5,"s_to_c_max":10244049,"s_to_c_stddev":4442471.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":163.9,"c_to_s_max":504,"c_to_s_stddev":124.2,"s_to_c_min":118,"s_to_c_avg":237.1,"s_to_c_max":1007,"s_to_c_stddev":302.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623223090984057,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223090984057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623223090984057,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223090984057,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623223090984057,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8WOFAAEAGCBnAqAGAl4uADoYQAFC9BO7MAAAAAKAC+vBq5AAAAgQFtAQCCArLCQstAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk1G4o"} 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223091009779,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623223091009779,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADAGcPqXi4AOwKgBgABQhhCFN\/R2vQTuzaAS\/ohuswAAAgQFtAQCCAoBgn1XywkLLQEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKwfqN"} @@ -39,7 +39,7 @@ 01129{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":161,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226796057242,"flow_dst_last_pkt_time":1623226796050182,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":387,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226796057242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.digicert.com","http": {"url":"ocsp.digicert.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} 00910{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":165,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623223090984057,"flow_src_last_pkt_time":1623223156058732,"flow_dst_last_pkt_time":1623223156084748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":393,"flow_dst_max_l4_payload_len":728,"flow_src_tot_l4_payload_len":393,"flow_dst_tot_l4_payload_len":1199,"midstream":0,"thread_ts_usec":1623226796065242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":165,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623223091709422,"flow_src_last_pkt_time":1623223156773701,"flow_dst_last_pkt_time":1623223156800666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":389,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":389,"flow_dst_tot_l4_payload_len":917,"midstream":0,"thread_ts_usec":1623226796065242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34340,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01372{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":189,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226898935296,"flow_dst_last_pkt_time":1623226888697884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623226898935296,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":297,"flow_avg":119838040.0,"flow_max":3639278264,"flow_stddev":632128768.0,"c_to_s_min":346,"c_to_s_avg":207898144.0,"c_to_s_max":3639278264,"c_to_s_stddev":832246080.0,"s_to_c_min":297,"s_to_c_avg":6617912.5,"s_to_c_max":10240173,"s_to_c_stddev":4842820.0},"pktlen": {"c_to_s_min":118,"c_to_s_avg":182.9,"c_to_s_max":505,"c_to_s_stddev":144.0,"s_to_c_min":118,"s_to_c_avg":289.8,"s_to_c_max":917,"s_to_c_stddev":327.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":189,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226898935296,"flow_dst_last_pkt_time":1623226888697884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623226898935296,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":297,"flow_avg":6307708.5,"flow_max":10240173,"flow_stddev":4932344.5,"c_to_s_min":346,"c_to_s_avg":6052246.5,"c_to_s_max":10240147,"c_to_s_stddev":4990410.5,"s_to_c_min":297,"s_to_c_avg":6617912.5,"s_to_c_max":10240173,"s_to_c_stddev":4842820.0},"pktlen": {"c_to_s_min":118,"c_to_s_avg":182.9,"c_to_s_max":505,"c_to_s_stddev":144.0,"s_to_c_min":118,"s_to_c_avg":289.8,"s_to_c_max":917,"s_to_c_stddev":327.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":208,"packets-processed":207,"total-skipped-flows":0,"total-l4-payload-len":19557,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":43,"global_ts_usec":1623227471703092} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227471703092,"flow_dst_last_pkt_time":1623227471703092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623227471703092,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1623227471703092,"flow_dst_last_pkt_time":1623227471703092,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623227471703092,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8CDlAAEAGLKrAqAGANFUPXMDmAFDpM3mLAAAAAKAC+vAljwAAAgQFtAQCCArD2jnWAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU0JsT"} @@ -52,8 +52,8 @@ 00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1623227472218439,"flow_dst_last_pkt_time":1623227472214417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623227472218439,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0cD1AAEAGbnTAqAGAl2UCheoSAFClxR9WcxTjBIAQAfagEQAAAQEIClxJqx0CSmlaGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyyO91A=="} 01149{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":218,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227472219362,"flow_dst_last_pkt_time":1623227472214417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623227472219362,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.globalsign.com","http": {"url":"ocsp.globalsign.com\/gsrsaovsslca2018","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} 00910{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":224,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":23,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226963037756,"flow_dst_last_pkt_time":1623226963033362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623227472228502,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227587349174,"flow_dst_last_pkt_time":1623227584757187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":1998,"midstream":0,"thread_ts_usec":1623227587349174,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":615,"flow_avg":7605846.0,"flow_max":10240632,"flow_stddev":4373748.0,"c_to_s_min":923,"c_to_s_avg":7226826.5,"c_to_s_max":10240632,"c_to_s_stddev":4489222.5,"s_to_c_min":615,"s_to_c_avg":8039010.5,"s_to_c_max":10240491,"s_to_c_stddev":4196215.0},"pktlen": {"c_to_s_min":118,"c_to_s_avg":142.1,"c_to_s_max":519,"c_to_s_stddev":94.3,"s_to_c_min":118,"s_to_c_avg":251.7,"s_to_c_max":1462,"s_to_c_stddev":362.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":274,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227587366039,"flow_dst_last_pkt_time":1623227587361645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":1006,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":1006,"midstream":0,"thread_ts_usec":1623227587366039,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":379,"flow_avg":23124804.0,"flow_max":508672247,"flow_stddev":87312632.0,"c_to_s_min":379,"c_to_s_avg":36725600.0,"c_to_s_max":508672247,"c_to_s_stddev":118066912.0,"s_to_c_min":11963,"s_to_c_avg":7710570.0,"s_to_c_max":10240566,"s_to_c_stddev":4216529.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":141.8,"c_to_s_max":514,"c_to_s_stddev":93.1,"s_to_c_min":118,"s_to_c_avg":185.6,"s_to_c_max":1124,"s_to_c_stddev":250.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227587349174,"flow_dst_last_pkt_time":1623227584757187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":1998,"midstream":0,"thread_ts_usec":1623227587349174,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":615,"flow_avg":7851182.5,"flow_max":10240632,"flow_stddev":4240709.0,"c_to_s_min":923,"c_to_s_avg":7675875.5,"c_to_s_max":10240632,"c_to_s_stddev":4274381.0,"s_to_c_min":615,"s_to_c_avg":8039010.5,"s_to_c_max":10240491,"s_to_c_stddev":4196215.0},"pktlen": {"c_to_s_min":118,"c_to_s_avg":142.1,"c_to_s_max":519,"c_to_s_stddev":94.3,"s_to_c_min":118,"s_to_c_avg":251.7,"s_to_c_max":1462,"s_to_c_stddev":362.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":274,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227587366039,"flow_dst_last_pkt_time":1623227587361645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":1006,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":1006,"midstream":0,"thread_ts_usec":1623227587366039,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":379,"flow_avg":7461984.0,"flow_max":10240568,"flow_stddev":4364520.0,"c_to_s_min":379,"c_to_s_avg":7228934.0,"c_to_s_max":10240568,"c_to_s_stddev":4486349.5,"s_to_c_min":11963,"s_to_c_avg":7710570.0,"s_to_c_max":10240566,"s_to_c_stddev":4216529.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":141.8,"c_to_s_max":514,"c_to_s_stddev":93.1,"s_to_c_min":118,"s_to_c_avg":185.6,"s_to_c_max":1124,"s_to_c_stddev":250.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":275,"packets-processed":274,"total-skipped-flows":0,"total-l4-payload-len":23358,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":8,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":8,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":57,"global_ts_usec":1623229632695852} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623229632695852,"flow_src_last_pkt_time":1623229632695852,"flow_dst_last_pkt_time":1623229632695852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623229632695852,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1623229632695852,"flow_dst_last_pkt_time":1623229632695852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623229632695852,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA82G5AAEAGQmzAqAGAbUbwcrHKAFDtwUNWAAAAAKAC+vAcMQAAAgQFtAQCCAoRKRyhAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZRLNb"} @@ -68,7 +68,7 @@ 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":301,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1623229850972935,"flow_dst_last_pkt_time":1623229850968545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623229850972935,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0+slAAEAGBjXAqAGAFwxgkb+KAFDAJRPi2VU1H4AQAfZ\/KgAAAQEICo4eQkQG1UJIGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV7trsA=="} 01127{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":302,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229850973410,"flow_dst_last_pkt_time":1623229850968545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623229850973410,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.entrust.net","http": {"url":"ocsp.entrust.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} 00911{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":320,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623229632695852,"flow_src_last_pkt_time":1623229697731607,"flow_dst_last_pkt_time":1623229697742645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":399,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":399,"flow_dst_tot_l4_payload_len":2325,"midstream":0,"thread_ts_usec":1623229853240025,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01369{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":330,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229914599193,"flow_dst_last_pkt_time":1623229904370774,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229914599193,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":475,"flow_avg":10395589.0,"flow_max":153227968,"flow_stddev":28972426.0,"c_to_s_min":475,"c_to_s_avg":15490775.0,"c_to_s_max":153227968,"c_to_s_stddev":38497908.0,"s_to_c_min":2550,"s_to_c_avg":4451205.5,"s_to_c_max":10240467,"s_to_c_stddev":4896534.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":186.6,"c_to_s_max":505,"c_to_s_stddev":147.1,"s_to_c_min":118,"s_to_c_avg":510.0,"s_to_c_max":1566,"s_to_c_stddev":563.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01363{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":330,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229914599193,"flow_dst_last_pkt_time":1623229904370774,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229914599193,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":475,"flow_avg":4682294.0,"flow_max":10241196,"flow_stddev":4928712.5,"c_to_s_min":475,"c_to_s_avg":4895606.0,"c_to_s_max":10241196,"c_to_s_stddev":4948660.5,"s_to_c_min":2550,"s_to_c_avg":4451205.5,"s_to_c_max":10240467,"s_to_c_stddev":4896534.5},"pktlen": {"c_to_s_min":118,"c_to_s_avg":186.6,"c_to_s_max":505,"c_to_s_stddev":147.1,"s_to_c_min":118,"s_to_c_avg":510.0,"s_to_c_max":1566,"s_to_c_stddev":563.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00911{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":22,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229968257993,"flow_dst_last_pkt_time":1623229968253231,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229968257993,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":344,"packets-processed":344,"total-skipped-flows":0,"total-l4-payload-len":33113,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":73,"global_ts_usec":1623229968257993} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -84,5 +84,5 @@ ~~ total allocations/frees...: 121916/121916 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1377 chars -~~ json string avg len.......: 926 chars +~~ json string max len.......: 1368 chars +~~ json string avg len.......: 921 chars diff --git a/test/results/ookla.pcap.out b/test/results/ookla.pcap.out index 1b0134f2e..9529df2b1 100644 --- a/test/results/ookla.pcap.out +++ b/test/results/ookla.pcap.out @@ -10,7 +10,7 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1491069115107460,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1491069115144245,"pkt":"xCwDBkn+gCqojWksCABFAAA8AABAADMGWiUuLP27wKgBBx+QyA8qkdUorSOsy6ASOJC7tQAAAgQFrAQCCAp\/4XceDd4f9gEDAwU="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1491069115144357,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491069115144357,"pkt":"gCqojWksxCwDBkn+CABFAAA0VElAAEAGAADAqAEHLiz9u8gPH5CtI6zLKpHVKYAQECztvQAAAQEICg3eIBp\/4Xce"} 00861{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069115172347,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491069115172347,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01334{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069116003131,"flow_dst_last_pkt_time":1491069115908957,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":186,"midstream":0,"thread_ts_usec":1491069116003131,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":86086.2,"flow_max":1057589,"flow_stddev":177418.3,"c_to_s_min":26006,"c_to_s_avg":93012.4,"c_to_s_max":1057589,"c_to_s_stddev":216956.7,"s_to_c_min":72,"s_to_c_avg":72863.4,"s_to_c_max":137734,"s_to_c_stddev":37979.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":74.9,"c_to_s_max":85,"c_to_s_stddev":9.1,"s_to_c_min":66,"s_to_c_avg":83.6,"s_to_c_max":100,"s_to_c_stddev":7.9}},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +01330{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069116003131,"flow_dst_last_pkt_time":1491069115908957,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":186,"midstream":0,"thread_ts_usec":1491069116003131,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":72,"flow_avg":54747.4,"flow_max":137734,"flow_stddev":32631.2,"c_to_s_min":26006,"c_to_s_avg":44783.6,"c_to_s_max":103239,"c_to_s_stddev":24027.0,"s_to_c_min":72,"s_to_c_avg":72863.4,"s_to_c_max":137734,"s_to_c_stddev":37979.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":74.9,"c_to_s_max":85,"c_to_s_stddev":9.1,"s_to_c_min":66,"s_to_c_avg":83.6,"s_to_c_max":100,"s_to_c_stddev":7.9}},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00924{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2202,"flow_dst_packets_processed":2864,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069155086298,"flow_dst_last_pkt_time":1491069155251079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":883752,"flow_dst_tot_l4_payload_len":3462381,"midstream":0,"thread_ts_usec":1491069155251079,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":8,"flow_first_seen":1491069108756336,"flow_src_last_pkt_time":1491069114050266,"flow_dst_last_pkt_time":1491069114084923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":364,"flow_dst_max_l4_payload_len":457,"flow_src_tot_l4_payload_len":1434,"flow_dst_tot_l4_payload_len":1546,"midstream":0,"thread_ts_usec":1491069155251079,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51207,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Ookla","proto_id":"7.191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","packets-captured":5086,"packets-processed":5086,"total-skipped-flows":0,"total-l4-payload-len":4349113,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1491069155251079} @@ -27,5 +27,5 @@ ~~ total allocations/frees...: 126534/126534 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 476 chars -~~ json string max len.......: 1339 chars -~~ json string avg len.......: 892 chars +~~ json string max len.......: 1335 chars +~~ json string avg len.......: 891 chars diff --git a/test/results/openvpn.pcap.out b/test/results/openvpn.pcap.out index f8c7454ca..752053593 100644 --- a/test/results/openvpn.pcap.out +++ b/test/results/openvpn.pcap.out @@ -5,14 +5,14 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1467904946700231,"flow_dst_last_pkt_time":1467904946755145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1467904946755145,"pkt":"AA6OGXEMhCYVLjtSCABFoAA8AABAADQGbecuZefawKgBTQG76uxsxVWWvpV7n6AScSBx2QAAAgQFtAQCCAoANCgCAA17SwEDAwE="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1467904946755184,"flow_dst_last_pkt_time":1467904946755145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1467904946755184,"pkt":"hCYVLjtSAA6OGXEMCABFAAA0ANZAAEAGYbnAqAFNLmXn2ursAbu+lXufbMVVl4AQOQjYsgAAAQEICgANe1AANCgC"} 00994{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904947700508,"flow_dst_last_pkt_time":1467904947753377,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1467904947753377,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904948037674,"flow_dst_last_pkt_time":1467904948077757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":1940,"midstream":0,"thread_ts_usec":1467904948077757,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":34117472.0,"flow_max":1089044151,"flow_stddev":189470560.0,"c_to_s_min":181,"c_to_s_avg":77884400.0,"c_to_s_max":1089044151,"c_to_s_stddev":280445344.0,"s_to_c_min":124,"s_to_c_avg":76529.2,"s_to_c_max":997748,"s_to_c_stddev":224704.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":128.6,"c_to_s_max":371,"c_to_s_stddev":84.3,"s_to_c_min":66,"s_to_c_avg":174.2,"s_to_c_max":222,"s_to_c_stddev":60.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01472{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904948037674,"flow_dst_last_pkt_time":1467904948077757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":1940,"midstream":0,"thread_ts_usec":1467904948077757,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":124,"flow_avg":87579.6,"flow_max":997748,"flow_stddev":233509.3,"c_to_s_min":181,"c_to_s_avg":102880.2,"c_to_s_max":945324,"c_to_s_stddev":244355.5,"s_to_c_min":124,"s_to_c_avg":76529.2,"s_to_c_max":997748,"s_to_c_stddev":224704.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":128.6,"c_to_s_max":371,"c_to_s_stddev":84.3,"s_to_c_min":66,"s_to_c_avg":174.2,"s_to_c_max":222,"s_to_c_stddev":60.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00556{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":96,"packets-processed":95,"total-skipped-flows":0,"total-l4-payload-len":9094,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1470218591746723} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591746723,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470218591746723,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591746723,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1470218591746723,"pkt":"mAyC0zx8AAjKQoXqCABFAABG3rhAAEARTXXAqCsMizuXiaIjNXAAMosJOLAsz\/G18BdPwJFmbjsSS62jkXMxe5OXItH+Y74AAAABV6HBXwAAAAAA"} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":97,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"thread_ts_usec":1470218591941902,"pkt":"AAjKQoXqmAyC0zx8CABFAABSYIhAADIR2ZmLO5eJwKgrDDVwoiMAPhWBQPd\/wu\/b4j9X3sTI1WVNByO\/jAvlQThWMnDPrhMAAAABV6HBXwEAAAAAsCzP8bXwF08AAAAA"} 00998{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":97,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":54,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":54,"midstream":0,"thread_ts_usec":1470218591941902,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1470218591942539,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1470218591942539,"pkt":"mAyC0zx8AAjKQoXqCABFAABO3uZAAEARTT\/AqCsMizuXiaIjNXAAOpZEKLAsz\/G18BdPyDdJemqNaU65YLasCHjnV9mH+DAAAAACV6HBXwEAAAAA93\/C79viP1c="} -01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":127,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218592449269,"flow_dst_last_pkt_time":1470218592448973,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":2054,"midstream":0,"thread_ts_usec":1470218592449269,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":395,"flow_avg":90599256.0,"flow_max":2897771415,"flow_stddev":504183008.0,"c_to_s_min":395,"c_to_s_avg":170498464.0,"c_to_s_max":2897771415,"c_to_s_stddev":681818240.0,"s_to_c_min":411,"s_to_c_avg":46816.7,"s_to_c_max":195179,"s_to_c_stddev":60001.2},"pktlen": {"c_to_s_min":84,"c_to_s_avg":106.4,"c_to_s_max":345,"c_to_s_stddev":59.7,"s_to_c_min":96,"s_to_c_avg":178.9,"s_to_c_max":196,"s_to_c_stddev":22.4}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01473{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":127,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218592449269,"flow_dst_last_pkt_time":1470218592448973,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":2054,"midstream":0,"thread_ts_usec":1470218592449269,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":395,"flow_avg":45316.0,"flow_max":195816,"flow_stddev":59561.3,"c_to_s_min":395,"c_to_s_avg":43909.1,"c_to_s_max":195816,"c_to_s_stddev":59111.3,"s_to_c_min":411,"s_to_c_avg":46816.7,"s_to_c_max":195179,"s_to_c_stddev":60001.2},"pktlen": {"c_to_s_min":84,"c_to_s_avg":106.4,"c_to_s_max":345,"c_to_s_stddev":59.7,"s_to_c_min":96,"s_to_c_avg":178.9,"s_to_c_max":196,"s_to_c_stddev":22.4}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01044{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":51,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467905010834916,"flow_dst_last_pkt_time":1467905010834882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":4602,"flow_dst_tot_l4_payload_len":4492,"midstream":0,"thread_ts_usec":1470218600860349,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":179,"packets-processed":178,"total-skipped-flows":0,"total-l4-payload-len":19167,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1472334890224928} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334890224928,"flow_dst_last_pkt_time":1472334890224928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1472334890224928,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -20,7 +20,7 @@ 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334890224928,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1472334892420816,"pkt":"mAyC0zx8MFLLbJwbCABFAABGfNNAAEARr1TAqCsSizuXiTVwNXAAMg7DOGYO4pqkkLBZptsOrY2Z8Me\/lrzRmp5vsU3x26QAAAACV8IMKgAAAAAA"} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334892467380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"thread_ts_usec":1472334892467380,"pkt":"MFLLbJwbmAyC0zx8CABFAABSgmRAADERuLeLO5eJwKgrEjVwNXAAPoh1QDWQheTdAi5E5ZNzw1yvtD56Ix7qRbnOSoCURYgAAAABV8IMLQEAAAAAZg7imqSQsFkAAAAA"} 00999{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334892467380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":54,"flow_src_tot_l4_payload_len":84,"flow_dst_tot_l4_payload_len":54,"midstream":0,"thread_ts_usec":1472334892467380,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01499{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":210,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334893134977,"flow_dst_last_pkt_time":1472334893134900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1087,"flow_dst_tot_l4_payload_len":1962,"midstream":0,"thread_ts_usec":1472334893134977,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":128,"flow_avg":99102368.0,"flow_max":3165455733,"flow_stddev":550733568.0,"c_to_s_min":128,"c_to_s_avg":186374464.0,"c_to_s_max":3165455733,"c_to_s_stddev":744770432.0,"s_to_c_min":417,"s_to_c_avg":193998.1,"s_to_c_max":2242452,"s_to_c_stddev":551072.1},"pktlen": {"c_to_s_min":84,"c_to_s_avg":105.9,"c_to_s_max":345,"c_to_s_stddev":59.8,"s_to_c_min":92,"s_to_c_avg":172.8,"s_to_c_max":196,"s_to_c_stddev":31.1}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":210,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334893134977,"flow_dst_last_pkt_time":1472334893134900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1087,"flow_dst_tot_l4_payload_len":1962,"midstream":0,"thread_ts_usec":1472334893134977,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":128,"flow_avg":187742.6,"flow_max":2242452,"flow_stddev":537269.1,"c_to_s_min":128,"c_to_s_avg":181878.1,"c_to_s_max":2195888,"c_to_s_stddev":523930.8,"s_to_c_min":417,"s_to_c_avg":193998.1,"s_to_c_max":2242452,"s_to_c_stddev":551072.1},"pktlen": {"c_to_s_min":84,"c_to_s_avg":105.9,"c_to_s_max":345,"c_to_s_stddev":59.8,"s_to_c_min":92,"s_to_c_avg":172.8,"s_to_c_max":196,"s_to_c_stddev":31.1}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01047{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":248,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":49,"flow_dst_packets_processed":34,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218600860349,"flow_dst_last_pkt_time":1470218600859207,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1172,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":5802,"flow_dst_tot_l4_payload_len":4271,"midstream":0,"thread_ts_usec":1472334896789781,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01049{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":298,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":58,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334909464448,"flow_dst_last_pkt_time":1472334909465454,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1172,"flow_dst_max_l4_payload_len":1245,"flow_src_tot_l4_payload_len":8904,"flow_dst_tot_l4_payload_len":14228,"midstream":0,"thread_ts_usec":1472334909465454,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":298,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":298,"packets-processed":298,"total-skipped-flows":0,"total-l4-payload-len":42299,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":3,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1472334909465454} @@ -37,5 +37,5 @@ ~~ total allocations/frees...: 121754/121754 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 478 chars -~~ json string max len.......: 1504 chars -~~ json string avg len.......: 990 chars +~~ json string max len.......: 1487 chars +~~ json string avg len.......: 981 chars diff --git a/test/results/pgm.pcap.out b/test/results/pgm.pcap.out index bf7c0b31f..9d4e12356 100644 --- a/test/results/pgm.pcap.out +++ b/test/results/pgm.pcap.out @@ -5,7 +5,7 @@ 00820{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564815455078,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564815455078,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1654564816295763,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":129,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":129,"pkt_l4_len":95,"thread_ts_usec":1654564816295763,"pkt":"AQBeAAEviFH7P19UCABFAABzDnBAABRxH+0K9ECa6wABL9YlAHsEAAH0CvRAmtYlAF8AUenoAFHoKENTQQCABAAAbQAFAFBSSUNFAAAAAAAAAAAAAAAAAAAAAP\/\/AADXyjEBAQAAAAr0QJoAAAAANH8AAAAAAAABAAAAAQAAACoA"} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1654564816316549,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":127,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":127,"pkt_l4_len":93,"thread_ts_usec":1654564816316549,"pkt":"AQBeAAEviFH7P19UCABFAABxDoBAABRxH98K9ECa6wABL9YlAHsEAE8tCvRAmtYlAF0AUenpAFHoKENTQQCABAAAbQADAExPRwAAAAAAAAAAAAAAAAAAAAD\/\/wAA18oxAQEAAAAK9ECaAAAAAEJ\/AAAAAAAAAQAAAAEAAAAqAA=="} -01293{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564817394846,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564817394846,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":16,"flow_avg":52532956.0,"flow_max":1679114838,"flow_stddev":292142784.0,"c_to_s_min":16,"c_to_s_avg":52532956.0,"c_to_s_max":1679114838,"c_to_s_stddev":292142784.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":70,"c_to_s_avg":203.2,"c_to_s_max":1344,"c_to_s_stddev":214.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01273{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564817394846,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564817394846,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":16,"flow_avg":62573.2,"flow_max":840685,"flow_stddev":155726.8,"c_to_s_min":16,"c_to_s_avg":62573.2,"c_to_s_max":840685,"c_to_s_stddev":155726.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":70,"c_to_s_avg":203.2,"c_to_s_max":1344,"c_to_s_stddev":214.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00871{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1000,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564894361003,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":162302,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564894361003,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1000,"source":"pgm.pcap","alias":"nDPId-test","packets-captured":1000,"packets-processed":1000,"total-skipped-flows":0,"total-l4-payload-len":162302,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1654564894361003} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 122433/122433 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1298 chars -~~ json string avg len.......: 854 chars +~~ json string max len.......: 1278 chars +~~ json string avg len.......: 845 chars diff --git a/test/results/pinterest.pcap.out b/test/results/pinterest.pcap.out index 9b4cc65cc..661822849 100644 --- a/test/results/pinterest.pcap.out +++ b/test/results/pinterest.pcap.out @@ -13,7 +13,7 @@ 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713761186,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289713761745,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01217{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713802900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289713802900,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713802981,"flow_dst_last_pkt_time":1605289713803139,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289713803139,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} -01231{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":63179.5,"flow_max":1540532,"flow_stddev":271663.7,"c_to_s_min":13,"c_to_s_avg":109499.3,"c_to_s_max":1540532,"c_to_s_stddev":382674.2,"s_to_c_min":1,"s_to_c_avg":19754.8,"s_to_c_max":172415,"s_to_c_stddev":42490.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":160.7,"c_to_s_max":603,"c_to_s_stddev":149.9,"s_to_c_min":86,"s_to_c_avg":569.9,"s_to_c_max":1134,"s_to_c_stddev":485.8}}} +01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13934.5,"flow_max":172415,"flow_stddev":32920.5,"c_to_s_min":13,"c_to_s_avg":7282.7,"c_to_s_max":41182,"c_to_s_stddev":13265.9,"s_to_c_min":1,"s_to_c_avg":19754.8,"s_to_c_max":172415,"s_to_c_stddev":42490.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":160.7,"c_to_s_max":603,"c_to_s_stddev":149.9,"s_to_c_min":86,"s_to_c_avg":569.9,"s_to_c_max":1134,"s_to_c_stddev":485.8}}} 03119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714142423,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714142423,"pkt":"qtsDr8lk5EKm5WPyht1gBvDPACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAACElnABu5Qp1R0AAAAAoAL9IJUzAAACBAWgBAIICtZiIAMAAAAAAQMDBw=="} @@ -63,7 +63,7 @@ 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714250997,"flow_dst_last_pkt_time":1605289714250997,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714250997,"pkt":"qtsDr8lk5EKm5WPyht1gCIReACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAC5WYBu2PBi7kDA7Y3gBAB9bhLAAABAQgKDEf\/5cK4cls="} 00789{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":161,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714251006,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714251006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289714251006,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:13e2","src_port":34626,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714251006,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714251006,"pkt":"qtsDr8lk5EKm5WPyht1gCQO3ACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RPih0IBu\/o5BzSfc9\/MgBAB9chlAAABAQgK4ziLg8K4a4Y="} -01493{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":193,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714260622,"flow_dst_last_pkt_time":1605289714260607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":954,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2837,"flow_dst_tot_l4_payload_len":7034,"midstream":0,"thread_ts_usec":1605289714260622,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8363.0,"flow_max":53871,"flow_stddev":14932.2,"c_to_s_min":7,"c_to_s_avg":7837.1,"c_to_s_max":43618,"c_to_s_stddev":13490.0,"s_to_c_min":1,"s_to_c_avg":9091.1,"s_to_c_max":53871,"s_to_c_stddev":16697.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":244.1,"c_to_s_max":1040,"c_to_s_stddev":244.0,"s_to_c_min":86,"s_to_c_avg":589.0,"s_to_c_max":1474,"s_to_c_stddev":631.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01493{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":193,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714260622,"flow_dst_last_pkt_time":1605289714260607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":954,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2837,"flow_dst_tot_l4_payload_len":7034,"midstream":0,"thread_ts_usec":1605289714260622,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7879.4,"flow_max":53871,"flow_stddev":14938.4,"c_to_s_min":7,"c_to_s_avg":6952.9,"c_to_s_max":43618,"c_to_s_stddev":13364.6,"s_to_c_min":1,"s_to_c_avg":9091.1,"s_to_c_max":53871,"s_to_c_stddev":16697.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":244.1,"c_to_s_max":1040,"c_to_s_stddev":244.0,"s_to_c_min":86,"s_to_c_avg":589.0,"s_to_c_max":1474,"s_to_c_stddev":631.1}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":212,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714250965,"flow_dst_last_pkt_time":1605289714281312,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714281312,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuBhOqRBG+Jl1nfgBAm9NLhAAABAQgKwrkiYM+oHbQ="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":213,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714250997,"flow_dst_last_pkt_time":1605289714288930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714288930,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgLAAAAAAAAIAIqAcsBIEmLB5kd7IUo3\/YpAbvlZgMDtjdjwYu6gBAMIRHEAAABAQgKwrkiZwxF7DU="} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714288932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714288932,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAKzZE+IqAcsBIEmLB5kd7IUo3\/YpAbuHQp9z38z6OQc1gBALjSOBAAABAQgKwrkiaOM2b+4="} @@ -84,20 +84,20 @@ 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714658043,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714697878,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuCAAsx4c9qQ0l9oBJXgI0UAAACBAV4AQMDAwQCCArCuSQBz6oz\/w=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1605289714697936,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714697936,"pkt":"qtsDr8lk5EKm5WPyht1gCBesACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUggABu2pDSX0LMeHQgBAB+xD+AAABAQgKz6o0J8K5JAE="} 01165{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":544,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714698324,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714698324,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01377{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":573,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289714590794,"flow_src_last_pkt_time":1605289714712098,"flow_dst_last_pkt_time":1605289714737758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":4645,"midstream":0,"thread_ts_usec":1605289714737758,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9244.4,"flow_max":43788,"flow_stddev":13902.6,"c_to_s_min":3,"c_to_s_avg":7668.8,"c_to_s_max":43788,"c_to_s_stddev":13549.6,"s_to_c_min":1,"s_to_c_avg":11304.9,"s_to_c_max":39176,"s_to_c_stddev":14087.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":149.2,"c_to_s_max":603,"c_to_s_stddev":137.0,"s_to_c_min":86,"s_to_c_avg":396.2,"s_to_c_max":1294,"s_to_c_stddev":419.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01377{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":573,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289714590794,"flow_src_last_pkt_time":1605289714712098,"flow_dst_last_pkt_time":1605289714737758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":4645,"midstream":0,"thread_ts_usec":1605289714737758,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9250.6,"flow_max":43788,"flow_stddev":14140.2,"c_to_s_min":3,"c_to_s_avg":7581.5,"c_to_s_max":43788,"c_to_s_stddev":13961.9,"s_to_c_min":1,"s_to_c_avg":11304.9,"s_to_c_max":39176,"s_to_c_stddev":14087.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":149.2,"c_to_s_max":603,"c_to_s_stddev":137.0,"s_to_c_min":86,"s_to_c_avg":396.2,"s_to_c_max":1294,"s_to_c_stddev":419.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01225{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":575,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714698324,"flow_dst_last_pkt_time":1605289714739608,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289714739608,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03124{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":583,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":7,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714739677,"flow_dst_last_pkt_time":1605289714740234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289714740234,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714782619,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714782619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714782619,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714782619,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqIAAAAAoAL9IEOtAAACBAWgBAIICnRgZN4AAAAAAQMDBw=="} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":639,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289714795031,"flow_dst_last_pkt_time":1605289714793606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1778,"flow_dst_tot_l4_payload_len":5802,"midstream":0,"thread_ts_usec":1605289714795031,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":20077.1,"flow_max":132689,"flow_stddev":34605.0,"c_to_s_min":8,"c_to_s_avg":19268.8,"c_to_s_max":132689,"c_to_s_stddev":38410.6,"s_to_c_min":1,"s_to_c_avg":21399.7,"s_to_c_max":93613,"s_to_c_stddev":27202.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":185.2,"c_to_s_max":603,"c_to_s_stddev":170.4,"s_to_c_min":86,"s_to_c_avg":501.0,"s_to_c_max":1294,"s_to_c_stddev":523.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":639,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289714795031,"flow_dst_last_pkt_time":1605289714793606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1778,"flow_dst_tot_l4_payload_len":5802,"midstream":0,"thread_ts_usec":1605289714795031,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":16865.0,"flow_max":132689,"flow_stddev":30676.7,"c_to_s_min":8,"c_to_s_avg":13930.7,"c_to_s_max":132689,"c_to_s_stddev":32392.0,"s_to_c_min":1,"s_to_c_avg":21399.7,"s_to_c_max":93613,"s_to_c_stddev":27202.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":185.2,"c_to_s_max":603,"c_to_s_stddev":170.4,"s_to_c_min":86,"s_to_c_avg":501.0,"s_to_c_max":1294,"s_to_c_stddev":523.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":692,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714832909,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoETkIAHQAAAAAAAAAAByAqAcsBIEmLB5kd7IUo3\/YpAbve2qyyOFrOS7qjoBJXgB0bAAACBAV4AQMDAwQCCArCuSSHdGBk3g=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":693,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1605289714832956,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714832956,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqOssjhbgBAB+6D6AAABAQgKdGBlEMK5JIc="} 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714833176,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01198{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":870,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714867730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289714867730,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03542{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":876,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714868409,"flow_dst_last_pkt_time":1605289714869584,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5552,"midstream":0,"thread_ts_usec":1605289714869584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}} -01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":15596.2,"flow_max":89623,"flow_stddev":22981.5,"c_to_s_min":4,"c_to_s_avg":13858.0,"c_to_s_max":89623,"c_to_s_stddev":24588.8,"s_to_c_min":1,"s_to_c_avg":17913.9,"s_to_c_max":49740,"s_to_c_stddev":20415.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":151.7,"c_to_s_max":603,"c_to_s_stddev":138.3,"s_to_c_min":86,"s_to_c_avg":478.0,"s_to_c_max":1134,"s_to_c_stddev":456.8}}} +01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":15923.9,"flow_max":89623,"flow_stddev":23339.0,"c_to_s_min":4,"c_to_s_avg":14331.8,"c_to_s_max":89623,"c_to_s_stddev":25324.4,"s_to_c_min":1,"s_to_c_avg":17913.9,"s_to_c_max":49740,"s_to_c_stddev":20415.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":151.7,"c_to_s_max":603,"c_to_s_stddev":138.3,"s_to_c_min":86,"s_to_c_avg":478.0,"s_to_c_max":1134,"s_to_c_stddev":456.8}}} 03127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} -01223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8993.0,"flow_max":50337,"flow_stddev":16126.1,"c_to_s_min":6,"c_to_s_avg":7647.4,"c_to_s_max":50337,"c_to_s_stddev":15156.8,"s_to_c_min":1,"s_to_c_avg":10950.1,"s_to_c_max":50290,"s_to_c_stddev":17253.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":153.8,"c_to_s_max":603,"c_to_s_stddev":147.4,"s_to_c_min":86,"s_to_c_avg":871.6,"s_to_c_max":1474,"s_to_c_stddev":656.4}}} +01223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9244.2,"flow_max":50337,"flow_stddev":16381.3,"c_to_s_min":6,"c_to_s_avg":7993.2,"c_to_s_max":50337,"c_to_s_stddev":15592.7,"s_to_c_min":1,"s_to_c_avg":10950.1,"s_to_c_max":50290,"s_to_c_stddev":17253.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":153.8,"c_to_s_max":603,"c_to_s_stddev":147.4,"s_to_c_min":86,"s_to_c_avg":871.6,"s_to_c_max":1474,"s_to_c_stddev":656.4}}} 03547{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}} 00796{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715133578,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715133578,"pkt":"qtsDr8lk5EKm5WPyht1gAUyOACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACADyX4Bu+HPmfcAAAAAoAL9IJHxAAACBAWgBAIICjiITggAAAAAAQMDBw=="} @@ -117,9 +117,9 @@ 01175{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3667,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715301671,"flow_dst_last_pkt_time":1605289715301345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715301671,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"connect.facebook.net","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01204{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3797,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715274121,"flow_dst_last_pkt_time":1605289715321807,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289715321807,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3820,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715301671,"flow_dst_last_pkt_time":1605289715333684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1380,"midstream":0,"thread_ts_usec":1605289715333684,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"connect.facebook.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01379{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715335705,"flow_dst_last_pkt_time":1605289715335669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":9735,"midstream":0,"thread_ts_usec":1605289715335705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":16217.8,"flow_max":76867,"flow_stddev":27031.7,"c_to_s_min":2,"c_to_s_avg":12709.6,"c_to_s_max":76867,"c_to_s_stddev":26132.4,"s_to_c_min":1,"s_to_c_avg":22454.6,"s_to_c_max":76818,"s_to_c_stddev":27476.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.2,"c_to_s_max":603,"c_to_s_stddev":140.7,"s_to_c_min":86,"s_to_c_avg":694.9,"s_to_c_max":1294,"s_to_c_stddev":550.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01380{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4871,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715430506,"flow_dst_last_pkt_time":1605289715430565,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10223,"midstream":0,"thread_ts_usec":1605289715430565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13511.5,"flow_max":79486,"flow_stddev":22188.5,"c_to_s_min":8,"c_to_s_avg":13127.5,"c_to_s_max":79486,"c_to_s_stddev":23552.7,"s_to_c_min":1,"s_to_c_avg":13921.2,"s_to_c_max":69956,"s_to_c_stddev":20626.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.8,"c_to_s_max":603,"c_to_s_stddev":134.6,"s_to_c_min":86,"s_to_c_avg":725.4,"s_to_c_max":1294,"s_to_c_stddev":553.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01391{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5465,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715471680,"flow_dst_last_pkt_time":1605289715427326,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1347,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1605289715471680,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11327.9,"flow_max":93180,"flow_stddev":21737.3,"c_to_s_min":9,"c_to_s_avg":11011.0,"c_to_s_max":64739,"c_to_s_stddev":18237.3,"s_to_c_min":1,"s_to_c_avg":11766.8,"s_to_c_max":93180,"s_to_c_stddev":25805.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":161.3,"c_to_s_max":603,"c_to_s_stddev":135.0,"s_to_c_min":86,"s_to_c_avg":444.0,"s_to_c_max":1466,"s_to_c_stddev":491.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01379{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715335705,"flow_dst_last_pkt_time":1605289715335669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":9735,"midstream":0,"thread_ts_usec":1605289715335705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":16842.4,"flow_max":76867,"flow_stddev":27411.8,"c_to_s_min":2,"c_to_s_avg":13475.1,"c_to_s_max":76867,"c_to_s_stddev":26815.1,"s_to_c_min":1,"s_to_c_avg":22454.6,"s_to_c_max":76818,"s_to_c_stddev":27476.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.2,"c_to_s_max":603,"c_to_s_stddev":140.7,"s_to_c_min":86,"s_to_c_avg":694.9,"s_to_c_max":1294,"s_to_c_stddev":550.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01380{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4871,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715430506,"flow_dst_last_pkt_time":1605289715430565,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10223,"midstream":0,"thread_ts_usec":1605289715430565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13919.2,"flow_max":79486,"flow_stddev":22440.7,"c_to_s_min":8,"c_to_s_avg":13917.3,"c_to_s_max":79486,"c_to_s_stddev":24119.1,"s_to_c_min":1,"s_to_c_avg":13921.2,"s_to_c_max":69956,"s_to_c_stddev":20626.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.8,"c_to_s_max":603,"c_to_s_stddev":134.6,"s_to_c_min":86,"s_to_c_avg":725.4,"s_to_c_max":1294,"s_to_c_stddev":553.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01391{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5465,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715471680,"flow_dst_last_pkt_time":1605289715427326,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1347,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1605289715471680,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11676.3,"flow_max":93180,"flow_stddev":22011.3,"c_to_s_min":9,"c_to_s_avg":11607.2,"c_to_s_max":64739,"c_to_s_stddev":18594.8,"s_to_c_min":1,"s_to_c_avg":11766.8,"s_to_c_max":93180,"s_to_c_stddev":25805.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":161.3,"c_to_s_max":603,"c_to_s_stddev":135.0,"s_to_c_min":86,"s_to_c_avg":444.0,"s_to_c_max":1466,"s_to_c_stddev":491.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715782853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715782853,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715782853,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715782853,"pkt":"qtsDr8lk5EKm5WPyht1gAWIEACgGQCoBywEgSYsHmR3shSjf9ikqAyiA8R8Ag\/rOsAwAACXe67QBu2RbtWoAAAAAoAL9IBbyAAACBAWgBAIICmcfa8wAAAAAAQMDBw=="} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6878,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715833903,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715833903,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoDKIDxHwCD+s6wDAAAJd4qAcsBIEmLB5kd7IUo3\/YpAbvrtAAp+EJkW7VroBJXgNkoAAACBAV4AQMDAwQCCArCuShfZx9rzA=="} @@ -137,16 +137,16 @@ 00896{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9522,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716168715,"flow_dst_last_pkt_time":1605289716168715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":158,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":158,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289716168715,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00729{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9523,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1605289716168917,"flow_dst_last_pkt_time":1605289716168715,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":209,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":209,"pkt_l4_len":155,"thread_ts_usec":1605289716168917,"pkt":"qtsDr8lk5EKm5WPyht1gB32\/AJsGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACADqioBu9lanJS\/4e68gBgE1YEBAAABAQgKZPSVcMK4jAQXAwMAT0+KQ56NjlMHGW+d6G5ddduewRHnDyQJNOhFGSBeS16m4KVAja7XHlyuQrxKoq24Sn8bLVvUYgiRl0ogV926yAF+\/eBnK0DefdFCPgWpP6kXAwMAIh\/Eke2gVwnwKuWIWa9HbFAoJdRk5f1TigycRztSwvhmbFo="} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9663,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1605289716168917,"flow_dst_last_pkt_time":1605289716192184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289716192184,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgFAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbuqKr\/h7rzZWpyUgBALf8h0AAABAQgKwrkp2GT0lXA="} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9768,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716199465,"flow_dst_last_pkt_time":1605289716199511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":281,"flow_dst_tot_l4_payload_len":21058,"midstream":1,"thread_ts_usec":1605289716199511,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":2468.5,"flow_max":28590,"flow_stddev":6924.6,"c_to_s_min":4,"c_to_s_avg":3709.3,"c_to_s_max":28590,"c_to_s_stddev":8834.7,"s_to_c_min":1,"s_to_c_avg":1811.5,"s_to_c_max":23469,"s_to_c_stddev":5546.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":117.2,"c_to_s_max":244,"c_to_s_stddev":59.0,"s_to_c_min":86,"s_to_c_avg":1001.6,"s_to_c_max":1294,"s_to_c_stddev":493.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9768,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716199465,"flow_dst_last_pkt_time":1605289716199511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":281,"flow_dst_tot_l4_payload_len":21058,"midstream":1,"thread_ts_usec":1605289716199511,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":2461.8,"flow_max":28590,"flow_stddev":7061.6,"c_to_s_min":4,"c_to_s_avg":3843.8,"c_to_s_max":28590,"c_to_s_stddev":9362.0,"s_to_c_min":1,"s_to_c_avg":1811.5,"s_to_c_max":23469,"s_to_c_stddev":5546.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":117.2,"c_to_s_max":244,"c_to_s_stddev":59.0,"s_to_c_min":86,"s_to_c_avg":1001.6,"s_to_c_max":1294,"s_to_c_stddev":493.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00797{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717548570,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289717548570,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717548570,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289717548570,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD4AAAAAoAL9ID+FAAACBAWgBAIICjGG9eUAAAAAAQMDBw=="} 00573{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14613,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289717572004,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIA0qAcsBIEmLB5kd7IUo3\/YpAbufvovR75juz2g\/oBJXgHfiAAACBAV4AQMDAwQCCArCuS86MYb15Q=="} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14614,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1605289717572182,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289717572182,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD+L0e+ZgBAB+\/vbAAABAQgKMYb1\/cK5Lzo="} 01164{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14615,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717572787,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289717572787,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"accounts.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01209{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14617,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717572787,"flow_dst_last_pkt_time":1605289717605090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289717605090,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"accounts.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01395{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14635,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289715966342,"flow_src_last_pkt_time":1605289717653626,"flow_dst_last_pkt_time":1605289716195463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":4020,"midstream":0,"thread_ts_usec":1605289717653626,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200a","src_port":47790,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":66083.4,"flow_max":1485939,"flow_stddev":269018.2,"c_to_s_min":8,"c_to_s_avg":99252.9,"c_to_s_max":1485939,"c_to_s_stddev":347177.4,"s_to_c_min":1,"s_to_c_avg":19093.4,"s_to_c_max":55481,"s_to_c_stddev":19376.6},"pktlen": {"c_to_s_min":86,"c_to_s_avg":161.8,"c_to_s_max":603,"c_to_s_stddev":143.6,"s_to_c_min":86,"s_to_c_avg":354.5,"s_to_c_max":1294,"s_to_c_stddev":415.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14645,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717681759,"flow_dst_last_pkt_time":1605289717681662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":10121,"midstream":0,"thread_ts_usec":1605289717681759,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":23462.2,"flow_max":437585,"flow_stddev":77988.1,"c_to_s_min":7,"c_to_s_avg":35673.4,"c_to_s_max":437585,"c_to_s_stddev":104549.6,"s_to_c_min":1,"s_to_c_avg":9506.6,"s_to_c_max":42968,"s_to_c_stddev":13260.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.4,"c_to_s_max":603,"c_to_s_stddev":134.0,"s_to_c_min":86,"s_to_c_avg":719.1,"s_to_c_max":1294,"s_to_c_stddev":550.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01407{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14705,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289717682629,"flow_dst_last_pkt_time":1605289717754541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1620,"flow_dst_tot_l4_payload_len":4362,"midstream":0,"thread_ts_usec":1605289717754541,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":129122.5,"flow_max":1522186,"flow_stddev":370971.8,"c_to_s_min":6,"c_to_s_avg":118874.2,"c_to_s_max":1489773,"c_to_s_stddev":356928.7,"s_to_c_min":1,"s_to_c_avg":140834.9,"s_to_c_max":1522186,"s_to_c_stddev":386063.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":187.8,"c_to_s_max":632,"c_to_s_stddev":185.4,"s_to_c_min":86,"s_to_c_avg":359.1,"s_to_c_max":1466,"s_to_c_stddev":464.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01396{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14635,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289715966342,"flow_src_last_pkt_time":1605289717653626,"flow_dst_last_pkt_time":1605289716195463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":4020,"midstream":0,"thread_ts_usec":1605289717653626,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200a","src_port":47790,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":68443.0,"flow_max":1485939,"flow_stddev":273484.9,"c_to_s_min":8,"c_to_s_avg":105455.2,"c_to_s_max":1485939,"c_to_s_stddev":356947.4,"s_to_c_min":1,"s_to_c_avg":19093.4,"s_to_c_max":55481,"s_to_c_stddev":19376.6},"pktlen": {"c_to_s_min":86,"c_to_s_avg":161.8,"c_to_s_max":603,"c_to_s_stddev":143.6,"s_to_c_min":86,"s_to_c_avg":354.5,"s_to_c_max":1294,"s_to_c_stddev":415.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01378{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14645,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717681759,"flow_dst_last_pkt_time":1605289717681662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":10121,"midstream":0,"thread_ts_usec":1605289717681759,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9182.1,"flow_max":42968,"flow_stddev":13199.7,"c_to_s_min":7,"c_to_s_avg":8879.3,"c_to_s_max":40413,"c_to_s_stddev":13135.3,"s_to_c_min":1,"s_to_c_avg":9506.6,"s_to_c_max":42968,"s_to_c_stddev":13260.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.4,"c_to_s_max":603,"c_to_s_stddev":134.0,"s_to_c_min":86,"s_to_c_avg":719.1,"s_to_c_max":1294,"s_to_c_stddev":550.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01407{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14705,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289717682629,"flow_dst_last_pkt_time":1605289717754541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1620,"flow_dst_tot_l4_payload_len":4362,"midstream":0,"thread_ts_usec":1605289717754541,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":133498.8,"flow_max":1522186,"flow_stddev":376551.6,"c_to_s_min":6,"c_to_s_avg":126651.7,"c_to_s_max":1489773,"c_to_s_stddev":367319.2,"s_to_c_min":1,"s_to_c_avg":140834.9,"s_to_c_max":1522186,"s_to_c_stddev":386063.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":187.8,"c_to_s_max":632,"c_to_s_stddev":185.4,"s_to_c_min":86,"s_to_c_avg":359.1,"s_to_c_max":1466,"s_to_c_stddev":464.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289718346936,"flow_src_last_pkt_time":1605289718346936,"flow_dst_last_pkt_time":1605289718346936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289718346936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":56940,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1605289718346936,"flow_dst_last_pkt_time":1605289718346936,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289718346936,"pkt":"qtsDr8lk5EKm5WPyht1gDn7LACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3mwBu1MbKQQ2nwhTgBBf5ZGnAAABAQgKdGByysK4e5A="} 00797{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14834,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289718347032,"flow_src_last_pkt_time":1605289718347032,"flow_dst_last_pkt_time":1605289718347032,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289718347032,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51472,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -193,8 +193,8 @@ 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733006105,"flow_dst_last_pkt_time":1605289733059043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289733059043,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03122{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16230,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733059060,"flow_dst_last_pkt_time":1605289733060311,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5322,"midstream":0,"thread_ts_usec":1605289733060311,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 01226{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16506,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733019850,"flow_dst_last_pkt_time":1605289733177092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289733177092,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"www.google-analytics.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01395{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":16731,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":18128.2,"flow_max":157269,"flow_stddev":37205.5,"c_to_s_min":3,"c_to_s_avg":14434.7,"c_to_s_max":157269,"c_to_s_stddev":37941.0,"s_to_c_min":1,"s_to_c_avg":24407.2,"s_to_c_max":112030,"s_to_c_stddev":35038.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":143.5,"c_to_s_max":603,"c_to_s_stddev":131.7,"s_to_c_min":86,"s_to_c_avg":748.3,"s_to_c_max":1294,"s_to_c_stddev":539.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01228{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":26289.6,"flow_max":135965,"flow_stddev":41383.3,"c_to_s_min":3,"c_to_s_avg":21858.2,"c_to_s_max":111148,"c_to_s_stddev":37792.5,"s_to_c_min":1,"s_to_c_avg":31828.9,"s_to_c_max":135965,"s_to_c_stddev":44863.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":163.3,"c_to_s_max":603,"c_to_s_stddev":138.4,"s_to_c_min":86,"s_to_c_avg":692.8,"s_to_c_max":1474,"s_to_c_stddev":639.8}}} +01395{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":16731,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":18775.5,"flow_max":157269,"flow_stddev":37764.8,"c_to_s_min":3,"c_to_s_avg":15255.7,"c_to_s_max":157269,"c_to_s_stddev":38961.9,"s_to_c_min":1,"s_to_c_avg":24407.2,"s_to_c_max":112030,"s_to_c_stddev":35038.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":143.5,"c_to_s_max":603,"c_to_s_stddev":131.7,"s_to_c_min":86,"s_to_c_avg":748.3,"s_to_c_max":1294,"s_to_c_stddev":539.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01228{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":27300.3,"flow_max":135965,"flow_stddev":41843.3,"c_to_s_min":3,"c_to_s_avg":23418.7,"c_to_s_max":111148,"c_to_s_stddev":38649.3,"s_to_c_min":1,"s_to_c_avg":31828.9,"s_to_c_max":135965,"s_to_c_stddev":44863.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":163.3,"c_to_s_max":603,"c_to_s_stddev":138.4,"s_to_c_min":86,"s_to_c_avg":692.8,"s_to_c_max":1474,"s_to_c_stddev":639.8}}} 03126{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00791{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733399863,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289733399863,"pkt":"qtsDr8lk5EKm5WPyht1gBe6sACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXpunLIBuwBxlgkAAAAAoAL9IKzvAAACBAWgBAIICsW6TI0AAAAAAQMDBw=="} @@ -203,7 +203,7 @@ 01143{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":17597,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733420828,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733421383,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17600,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733466833,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289733466833,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03186{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17606,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733466898,"flow_dst_last_pkt_time":1605289733468841,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289733468841,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}} -01223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7699.2,"flow_max":45476,"flow_stddev":12868.6,"c_to_s_min":7,"c_to_s_avg":8439.9,"c_to_s_max":45476,"c_to_s_stddev":13964.6,"s_to_c_min":1,"s_to_c_avg":6958.6,"s_to_c_max":37100,"s_to_c_stddev":11623.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":150.1,"c_to_s_max":603,"c_to_s_stddev":135.7,"s_to_c_min":86,"s_to_c_avg":633.3,"s_to_c_max":1134,"s_to_c_stddev":504.1}}} +01223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":6845.7,"flow_max":45476,"flow_stddev":12150.2,"c_to_s_min":7,"c_to_s_avg":6725.3,"c_to_s_max":45476,"c_to_s_stddev":12687.3,"s_to_c_min":1,"s_to_c_avg":6958.6,"s_to_c_max":37100,"s_to_c_stddev":11623.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":150.1,"c_to_s_max":603,"c_to_s_stddev":135.7,"s_to_c_min":86,"s_to_c_avg":633.3,"s_to_c_max":1134,"s_to_c_stddev":504.1}}} 03189{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}} 00899{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289734948586,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00797{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289734948586,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/pop3_stls.pcap.out b/test/results/pop3_stls.pcap.out index 411ef5097..e603a5f3d 100644 --- a/test/results/pop3_stls.pcap.out +++ b/test/results/pop3_stls.pcap.out @@ -8,7 +8,7 @@ 01116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810349671,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":149,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":225,"midstream":0,"thread_ts_usec":1346096810351879,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01118{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":8,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810420652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":1685,"midstream":0,"thread_ts_usec":1346096810420652,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":11,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810421794,"flow_dst_last_pkt_time":1346096810490233,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":4965,"midstream":0,"thread_ts_usec":1346096810490233,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":215,"flow_avg":78966392.0,"flow_max":2518772355,"flow_stddev":438202400.0,"c_to_s_min":6957,"c_to_s_avg":194062416.0,"c_to_s_max":2518772355,"c_to_s_stddev":671086208.0,"s_to_c_min":215,"s_to_c_avg":216483.2,"s_to_c_max":2002867,"s_to_c_stddev":472021.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":104.8,"c_to_s_max":368,"c_to_s_stddev":87.3,"s_to_c_min":60,"s_to_c_avg":346.8,"s_to_c_max":1514,"s_to_c_stddev":513.6}}} +01207{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":215,"flow_avg":262973.8,"flow_max":2072094,"flow_stddev":524859.6,"c_to_s_min":6957,"c_to_s_avg":336583.8,"c_to_s_max":2072094,"c_to_s_stddev":591638.4,"s_to_c_min":215,"s_to_c_avg":216483.2,"s_to_c_max":2002867,"s_to_c_stddev":472021.6},"pktlen": {"c_to_s_min":54,"c_to_s_avg":104.8,"c_to_s_max":368,"c_to_s_stddev":87.3,"s_to_c_min":60,"s_to_c_avg":346.8,"s_to_c_max":1514,"s_to_c_stddev":513.6}}} 01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01254{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":53,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":30,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096814309972,"flow_dst_last_pkt_time":1346096814377321,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":805,"flow_dst_tot_l4_payload_len":7462,"midstream":0,"thread_ts_usec":1346096814377321,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":53,"source":"pop3_stls.pcap","alias":"nDPId-test","packets-captured":53,"packets-processed":53,"total-skipped-flows":0,"total-l4-payload-len":8267,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1346096814377321} diff --git a/test/results/pps.pcap.out b/test/results/pps.pcap.out index 83c73653c..84e9f7b3b 100644 --- a/test/results/pps.pcap.out +++ b/test/results/pps.pcap.out @@ -25,16 +25,16 @@ 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136440581,"flow_dst_last_pkt_time":1467353136440165,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1467353136440581,"pkt":"TF4M6gNlABxCjnAxCABFAABBf0AAAIARQDrAqHMI2+RrnFkJBOIALQK82oCeu7tQQPUjL7WiHx8fHhoTSt7f39\/fs\/\/\/\/\/\/\/\/\/\/7O8Q7\/w=="} 01929{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136439495,"flow_dst_last_pkt_time":1467353136451735,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136451735,"pkt":"ABxCjnAxTF4M6gNlCABFAARFKL0AAHkRbnJyKgCewKhzCB4kWQkEMQAA5YSwlpa05Mz2MVewhoaCw8Hl+3pZtoju6+vr60s2NjY2NjY2Mvku7QuOheQK9+NWgE7h2muxGM8D4DLm\/5x\/1\/JkPV6l86b3frCbpFSV7e2oOEkA4r\/bSCXhW8qYH5FqZgI6H822zV3AiRFliRCzdnIUkAPC4PeWFP8SV27xJ8xbxdt32Kzd8xhvmCkAgFUGD2aDXcaHo\/t3xxnKLSSA2No89lgZtTN6aTV4hYqd8hyVjK50Td7AS5rauDqcBz+RRXO4T+EAR5e7iDWXURHfR8EdQTfwsVkGPPWQFWZnZXoFkiluRuLCi6QTHJ\/wv2anzG520CpgomFFVPifWxBY1yo+25yZEvPeAFUPD9JwFSkkY+renkyqaouITdp\/U5xCqpe0AiGnlKCVH+BXW1qBJEl+erh8fAIyCpGCzFIqJ4Pmf9KyHWQyO4dZwZwHlnZ9L\/lCDYLl+5l+PyECs5D7mp401ix6MgQniSKHDqSvAoHhct48Iil039ISc4jtlzQP8VPwMzO9dm5pliz3vR0jeva2ymZtvGZZHTgf3Z20dDWyQbeaMA4XFPN2Dgy4dZttatnu9U\/U8ZcatdkKiTvqlJM38cgX5B7bCcpaNF6r3DNkDbHSWu4IAdS0k86zdu0VLwc0p8Sl4c42gst9OSqI2bgJaWokPPfPasrMJYfwhCW3ctsOEbYyz0tCOtujPD4KQzVdsNsD0KynxPfIWPXEi4xkfSsHXTRIuDUuPSCaFsBafpHRF0UphHR7Pno40CdJL751OfYk6pKOpNzNQbZZEehR+La+0h5w1JnTzl9xMmPBQfRhxB4vL3mFDo0xuCa+sNfqgmrXE4E39PE8sZpsHdLuGNschu3yhzgir1zABCnBIEcAyJ82rPj3RhxSQcuNkKpNPC9UtYHqYQAABjUJAANMAPSIAAAAACcBAAAAAAADQwGe+7MifwCEzAhiIBeWLxdoIrozlE8XeJKfA0uhUzS6uAS7Ddrnl5s0qHmNYhCP2pZ1KZuNwa9ptwEToJwndi6+1zT0Em8ViTT0l\/PGSsXOdNwvfrI1hMghxy4hD5qdkALJ90LEYzn1\/xjQkHRWjEqhjaHkpFzfnyr5yWlcpJ2H9l+D4J2fKYI45G95h2VWJS7e1cWbomHCJsHbzbwx2JxLcpC+eYkeCHz\/iclfVtYP\/E28eKUh+dQCQYHOCX1RgjhnndoYo4d9RCXRRhGqFWhuoX9Qkc6+q3FSYirrEYByX9CjozjqMmFBqri7DW7e\/A+Gtc1g4ZuGpzSVp4JMgIJcfPSA7z3zPWPYvTFuhpOQgZePdrYomcO3Fkae11rDSLaGWDnRLMyo5ZgKRiA5vOsVB0rF\/WA2Lanl39fkOuqzI5Mbb9\/2jAmNrToXgJUbWeGPhzwYtVlwp5b6KSwdvPQ0HH0AAAAA"} 01940{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440581,"flow_dst_last_pkt_time":1467353136470091,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136470091,"pkt":"ABxCjnAxTF4M6gNlCABFKARFVaEAAGURgK3b5GucwKhzCATiWQkEMdtFzISZv79URPEnK7GmGxsfXlyX4U4GsCimp6enp++jo6Ojo6OjpwDlWJTX1\/VR7NYrdZ8iw9hBVil1k3qsvepXHXvuMV4G4bY\/7FqHvHs6hWOCtrl3tuHHM3btfKlPjHjmmUJV9saYFG3shSVoHte4TwNPMs8Ihb+6CEl1C4ObFOV4cpEdSIpnRG\/HdCceK8v\/Yg4PX\/Y3QMZhvFEU\/aVfhwhsv41eQ1iaeG2UXEuD2KZKuPG0Tgd2x\/\/tZFf\/VtlLdZpCBJDKFeYnvEIiDsaQ7dS9bFDybOYNbQRsYlx4vdyTOQyZ9dWmPET9vKjX1C1s5QZnSJoAVU1k1fd+paH9lthbdOTYV7CKfmZy3IzKX6sKff+RpApDAs9XUVsB\/Kp1xnqFYTqzs3FAeAm8rVpI58rJM8tLYvBzAVaqwWhzIf0knXhYOVChXWhxhnaR46DwmBmHtJbiZv7kcOHpGmw+JJHvLbH\/9nhmnSxbGrTLXYrvdoMK+D4qHDYoKhCNTIqWr1x293NU\/irKFwQ77pDnFDMZGstHu45rqJzQRBnDBT\/RxyhgJlDUXZwbrBOWk54R3+0H9X8sCxCU0jByFfSreAvTxm9L5EmXKYI8LBBvn\/d30\/LgaB6FNc4qu7jT84ssBEc4Sde9KkWIkQ9UcCUBqIo85pR8QX8kwMAUE9Vcnxj57ZjyFlfvbMafZbPzw+dZdNM9fJdU8+vQ+8KnnRDAUrxC0dliIt8ifC7hLDk3kAHMA7BE6g0bZ4gKU2bjGJ5eqtWzSHnyBo9+hOrXUdoMDG36GRAle0bMitZabac6i0\/+Mrc9jBP2RSaKhfdrf32XNFopOiSbtB8JEk62kQAwm3uKD\/cndXhTvcem\/vXUa6xKv1Frofj24dy17GRlDqkS8zOCOsgMmzcCqauXneUes0mhMZCc9njZscArmdX7uWek8HqED71jcZoIG1kr11Cg3WkHBfBWlPOeDTI0fJIwZxYbBfKfY7EMdzylN\/T3aJ\/sPvpdQK4lQzeH+aKhhm7ycILBiO3aKE1LvOZknkff\/LsUxbrtpRqj1ADo4brAsYbrHyBbLtaVTGouvIRQUlMIYcYFiFwkOQDQMNEIKnN+TSbLptXblUGCNwJpX5f5Uk0\/QKmerhQPRa0UsG5OCykWNYoPSuMcfAD2GFF3wbR9U2X2Dk7cPApHN7NPhHT+sX\/QASfuLzjacAvs7KnfBVDkcL+5ODhe7XfUHprXAEc9YbqO3IYocMewPBVwRrw3TVJ5IZApjiX3IvBTM7IR1VIPJyyWgHQvzKJoZqrxDWR17vV38taeyJFoOUGl5V1tf+ulF2vCSr3JRzT5Tl+zLn+Qs\/hENB\/LIaOr0SiIhS\/XloJHeYuFn+yTXg8JXdPPH4UKKpKyF6kn+u\/7tG6FjsqJRu3WcAEAAAAA"} -01210{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":104051200.0,"flow_max":3329557650,"flow_stddev":579318080.0,"c_to_s_min":1278,"c_to_s_avg":332959776.0,"c_to_s_max":3329557650,"c_to_s_stddev":998865984.0,"s_to_c_min":2,"s_to_c_avg":1856.1,"s_to_c_max":13473,"s_to_c_stddev":3578.7},"pktlen": {"c_to_s_min":1107,"c_to_s_avg":1107.0,"c_to_s_max":1107,"c_to_s_stddev":0.0,"s_to_c_min":79,"s_to_c_avg":79.0,"s_to_c_max":79,"s_to_c_stddev":0.0}}} +01180{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":2605.6,"flow_max":13556,"flow_stddev":4035.9,"c_to_s_min":1278,"c_to_s_avg":4437.9,"c_to_s_max":13556,"c_to_s_stddev":4479.8,"s_to_c_min":2,"s_to_c_avg":1856.1,"s_to_c_max":13473,"s_to_c_stddev":3578.7},"pktlen": {"c_to_s_min":1107,"c_to_s_avg":1107.0,"c_to_s_max":1107,"c_to_s_stddev":0.0,"s_to_c_min":79,"s_to_c_avg":79.0,"s_to_c_max":79,"s_to_c_stddev":0.0}}} 00809{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} -01181{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":107,"flow_avg":2405.8,"flow_max":12554,"flow_stddev":3657.7,"c_to_s_min":107,"c_to_s_avg":1775.4,"c_to_s_max":12553,"c_to_s_stddev":3138.0,"s_to_c_min":694,"s_to_c_avg":3792.9,"s_to_c_max":12554,"s_to_c_stddev":4283.7},"pktlen": {"c_to_s_min":79,"c_to_s_avg":79.0,"c_to_s_max":79,"c_to_s_stddev":0.0,"s_to_c_min":1107,"s_to_c_avg":1107.0,"s_to_c_max":1107,"s_to_c_stddev":0.0}}} +01181{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":107,"flow_avg":2455.7,"flow_max":12554,"flow_stddev":3705.5,"c_to_s_min":107,"c_to_s_avg":1819.0,"c_to_s_max":12553,"c_to_s_stddev":3205.3,"s_to_c_min":694,"s_to_c_avg":3792.9,"s_to_c_max":12554,"s_to_c_stddev":4283.7},"pktlen": {"c_to_s_min":79,"c_to_s_avg":79.0,"c_to_s_max":79,"c_to_s_stddev":0.0,"s_to_c_min":1107,"s_to_c_avg":1107.0,"s_to_c_max":1107,"s_to_c_stddev":0.0}}} 00807{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":104,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136483217,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483217,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353136483217,"l3_proto":"ip4","src_ip":"183.228.182.44","dst_ip":"192.168.115.8","src_port":13913,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1467353136483217,"pkt":"ABxCjnAxTF4M6gNlCABFAABJGboAAG4RkSi35LYswKhzCDZZWQkANUuZLYBpf39e0v7fca+OwsfHOTl\/IikLCQkWAAkJKytvb9HBysr2yjYJCAYGBiUA"} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":106,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483414,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1467353136483414,"pkt":"TF4M6gNlABxCjnAxCABFAABHf1sAAIARGYnAqHMIt+S2LFkJNlkAMzZRK4B+aGhJxenIZriZ1dfXqamg+fjwxMU1UFBQXFw8PHdzc3Nzc\/PMztbWAA=="} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483605,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1467353136483605,"pkt":"TF4M6gNlABxCjnAxCABFAABHf1sAAIARGYnAqHMIt+S2LFkJNlkAMzZRK4B+aGhJxenIZriZ1dfXqamg+fjwxMU1UFBQXFw8PHdzc3Nzc\/PMztbWAA=="} 01930{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440579,"flow_dst_last_pkt_time":1467353136492484,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136492484,"pkt":"ABxCjnAxTF4M6gNlCABFKARFCXUAAGcRqYjexYoMwKhzCBssWQkEMdp11oSDpaWH1\/\/FAmSDtbWx8PLexT66472RkJCQkDRPT09PT09PS5jNKDDUtGPhLFjohGWYT2j8j83amDkrhZ3C\/2FQ5mdZnyaSlXvpTSw4QxzPKc\/1ppy0r1eRZI5oJ+p2dayL0dtYIRXg5e6MWgrC2be0L7w5uHO8F004aYCv4P9CJMUAHJpWAbSrTZTMfEtWFyfDkj7YkHwaP5UymM6nR48L2gXFeKkUsAfFE4YdqOFx0jp7Or60QKwF28+F5JlmKheAIJYQf2G3TqQY5Z0GTRcqhNLIOvYwJHCg1nj9RsIaYrnxmJ6DxwmjdzptTsT9sVdTMbkTg\/n2nGJhiOefKm8zFCoYHgU+C28Gf5sas1vu\/kt+OthMjccEo9wtGlC0ASPJ0qzS1sLHzYCsHMKDTYi9DD4foBrLZIc7pPx6JY6jOITQrc3efMsbAqZ1ZQQ9kAdp5K3mgsg3YJ0Q8Y0QZBWPHmxflGMFEMjHsP3GqPpnIAikccEmWg4o7+4F7KjVV7AVvTEyzA+8jQ1VrBrX5u+RVR9KG1O2SE5Cyq01BIwBHkezcDDf26H5C97IBIVRHEUN9a1I634tVX2hvonn9B8R7ucHFtbPm8v8XEfv5vsQiUBxdkQr4DEWqI+9efmJ7QzhmvbgsfQT\/lgyVKjuV7xATyGBulDT7mIFhQJis3fW7N6AP3W7D2NaqruF2RCWxjuAfiDF7FqVCRQStQiec12qDWggWFa5YJPYeAg3DNJYZLcxFww8J70\/Eg39+xjHkW\/GOLYez3x9FJNy88bzEiJFYwCTWUZnK3jDBLUaCFieNDFzqoKVzt+\/kSz+C3mshabnALJ2aYVnyWRkGVGRIw3S0WoTq9YykqwMV24Kk34rk9VX0xjIdoKqUAQsTP2sFY10R\/tU6R54Bq6N20vbHw0423rQBfXYTLF76muZ+5yrUbSgYHUxbnjBnVjpbbDNFDv1NDIURH8hFLeWNAsNZtLNHUp97veG5JCgSoBcNWrf5g+qs\/mmuRkZFHQLGQXlFjnHqt7DW7888AHgw3u4CiGUSrJzphDpfCWP0RgDn299d2Ril0LC8MhkTRLsCefsDfyp9t55XHR0+9rQ12xOawr2Gfk1nM+UlkyzEfd1uzpXju7BlNw\/XaM1RcvL26zFCGpLkhelssxeXpe1oStGT9+fgo5vRALSMf096AIfzKDk\/NbnZpnXY4r7ISHMeE5wJVp6Hs0TJswp0xbpQzaMzYGEvxoAbPu5kOZ9OipaPQfGALzzv2q6QmKKpdI3AnIh4LIO1vipAjAuDPqLWlCAnhJDj80pV4njf5FGejVXyupeYtcRvfudhBQ8G2H+16vYuNtcP3OV14wpgh5uQQEZwbFNlX+Dnyt\/qoHM45o25wYs9\/IAm40Qt01817PU8SGdpYVifHQAgAAA"} -01184{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":98,"flow_avg":8280.1,"flow_max":26979,"flow_stddev":8411.0,"c_to_s_min":954,"c_to_s_avg":13890.0,"c_to_s_max":26979,"c_to_s_stddev":7577.4,"s_to_c_min":98,"s_to_c_avg":5730.2,"s_to_c_max":24414,"s_to_c_stddev":7483.1},"pktlen": {"c_to_s_min":1107,"c_to_s_avg":1107.0,"c_to_s_max":1107,"c_to_s_stddev":0.0,"s_to_c_min":79,"s_to_c_avg":79.0,"s_to_c_max":79,"s_to_c_stddev":0.0}}} +01185{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":98,"flow_avg":8516.5,"flow_max":26979,"flow_stddev":8440.4,"c_to_s_min":5388,"c_to_s_avg":15327.3,"c_to_s_max":26979,"c_to_s_stddev":6568.0,"s_to_c_min":98,"s_to_c_avg":5730.2,"s_to_c_max":24414,"s_to_c_stddev":7483.1},"pktlen": {"c_to_s_min":1107,"c_to_s_avg":1107.0,"c_to_s_max":1107,"c_to_s_stddev":0.0,"s_to_c_min":79,"s_to_c_avg":79.0,"s_to_c_max":79,"s_to_c_stddev":0.0}}} 00811{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":340,"source":"pps.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136616772,"flow_src_last_pkt_time":1467353136616772,"flow_dst_last_pkt_time":1467353136616772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353136616772,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50462,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"pps.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136616772,"flow_dst_last_pkt_time":1467353136616772,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1467353136616772,"pkt":"TF4M6gNlABxCjnAxCABFAAAof6tAAIAGbhvAqHMIymwO7MUeAFC+iLxRSK1JylAQQRKO+AAA"} @@ -42,7 +42,7 @@ 01942{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":387,"source":"pps.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440580,"flow_dst_last_pkt_time":1467353136640432,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1109,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1109,"pkt_l4_len":1075,"thread_ts_usec":1467353136640432,"pkt":"ABxCjnAxTF4M6gNlCABFKARHPvMAAGwRBbvKxgdZwKhzCD6nWQkEM7bwtIThx8fltZ2nYAbh19fDgoHFsbOz05H7ys7Ozs7OUjMzMzMzMzM3d32QGgSgl3utg\/Lr9hRf++0ikCQTv4qzjqE0Vwx53Ozi5DZHrUJ0D9ld80WV2ev0tZtZRKXgAoVPxGV\/sVzgH4xC6HL79R7mq5iPtdzW66QMOgYGr3SE8p+G4rKdTYea586Ro7AY6bM28Jh0I5r5TVTI2fUcSzHV34y5S7zxuN9s2gdR+G2nAQ9di580b0fnOVMCMbQS0YymBcyPOk\/TMuDcu3jPoKDTMgO9S0s0IYLNh3NTzcMZuYatUE10g0vqD2WlKxR1edSPZQFM4WX\/I8oWPKSn5CmnWCJgNchgz7RCWXFcarMT+ited1xm8MkWOvZ2PeUCHfQ1MuOuLpD7j5mhw07uokSIlTUFQAnPCELFA5Psd1zbcuid+es8QtEP8h5Pg5ROnoUYgwG\/AmXnw02rh0T218tbI40AgvHe3fXoohnR3eOl8fPl6Tin6Gi3A066NBegsFeRPVSX+gHnt5FK1bZ00Z5WDtXOvCRcLb\/+iWvY\/Ph9J25OZG\/H6f9hZv6bNXwaaIuHTCkt2zE30xNgGrL5fP\/qsPXo4QVw4df\/AHUUWn7DNhotAyglmhZHHHx2D76uvfRLfpDX45nAOTU0aQzIlAkbjeL9MiunISwrfsUiGGi77jizTx7AZjJwIN9X0xB729dePDFW3iOjEJKi6wwqiXtgjp0Qn4ycT8aj3higqkAdmCf6viBeUxA4Ey0XJs8LeWlBWrWLGrAVX\/syUvSc0Qnt7hgTis34opRC9MgH7uPb+CPcACWQ4PyqMfFoB93v48Hj+r9dC9ONTO9C\/ktt3YfWgupPKQW8qdqTDsSYNY4LtVldBymEKQFgcafM+ACwgYLH3rkh38VWSezZwGc\/KyCgGlonrmjhRAudSNJrjk2I5hAwMjl3+Su91K1EqYBwzJUW5Alu89DYvHVV54Y1uiDfno+vg9g2pOTv9qD\/obGNrCOfIKiGoGknOiYUYI9eRr\/Qs1peKBmW\/7D5fFEEUzXzGE\/77OK829Wr420Sgnl\/\/9UHV4dxNEpg7Umuc4f16HFagvn7eaQRFd2LphIs7VvTz82qi7A\/OZJVG8fQa21CCaNp\/VwpaOYvMyyVi6a19f21I+oFHfTzAOIIV1wwifq0aAqUb5BxGVtvBKoejKKSwLl6F5F2DDKztCmxmzs\/WdQTTScN896khxt4jB6c6Mtj512hCjnKbeZFmlvfg6SdAKpUxQ3Gx6Yz3l9WLMoFQ3S6GdtYorTUz4zvLoxi+9EUFhpvg1ZrQIfeIXH93JJ0H9uwkye148Sa+dodTKDlcRbxOKd9fiM3Owhw5\/cz2k47y3guqZHbBfAcDjAReQ92\/933ihS1JB7je3wazbY+fsqer0ZQzO0QaggAAAA="} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":644,"source":"pps.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136757007,"flow_src_last_pkt_time":1467353136757007,"flow_dst_last_pkt_time":1467353136757007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353136757007,"l3_proto":"ip4","src_ip":"192.168.5.15","dst_ip":"68.233.253.133","src_port":65125,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":644,"source":"pps.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136757007,"flow_dst_last_pkt_time":1467353136757007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1467353136757007,"pkt":"TF4M6gNlKDc3Alz6CABFAAA0AHFAAEAGMi3AqAUPROn9hf5lAFBsGPTh5ZgTx4AREAFu8AAAAQEICiYbPvkrIgZe"} -01189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":22800.9,"flow_max":69635,"flow_stddev":21420.1,"c_to_s_min":67,"c_to_s_avg":15229.8,"c_to_s_max":45715,"c_to_s_stddev":17127.6,"s_to_c_min":29926,"s_to_c_avg":45514.4,"s_to_c_max":69635,"s_to_c_stddev":16350.7},"pktlen": {"c_to_s_min":79,"c_to_s_avg":79.0,"c_to_s_max":79,"c_to_s_stddev":0.0,"s_to_c_min":1107,"s_to_c_avg":1107.0,"s_to_c_max":1107,"s_to_c_stddev":0.0}}} +01189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":23509.2,"flow_max":69635,"flow_stddev":21390.8,"c_to_s_min":67,"c_to_s_avg":15855.2,"c_to_s_max":45715,"c_to_s_stddev":17225.6,"s_to_c_min":29926,"s_to_c_avg":45514.4,"s_to_c_max":69635,"s_to_c_stddev":16350.7},"pktlen": {"c_to_s_min":79,"c_to_s_avg":79.0,"c_to_s_max":79,"c_to_s_stddev":0.0,"s_to_c_min":1107,"s_to_c_avg":1107.0,"s_to_c_max":1107,"s_to_c_stddev":0.0}}} 00809{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":765,"source":"pps.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136833095,"flow_src_last_pkt_time":1467353136833095,"flow_dst_last_pkt_time":1467353136833095,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":108,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":108,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":108,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353136833095,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"218.61.39.103","src_port":22793,"dst_port":17788,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":765,"source":"pps.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136833095,"flow_dst_last_pkt_time":1467353136833095,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":150,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":150,"pkt_l4_len":116,"thread_ts_usec":1467353136833095,"pkt":"TF4M6gNlABxCjnAxCABFAACIADsAAIARBNXAqHMI2j0nZ1kJRXwAdM6LbABEsXEiUCg6x2bnNgAAAQADAAAAwKhzCAlZCtIsqwEGdAZ0b\/pmQpw8UwQ938xDXiteKyTtmkXcENwQJOknUZ5InkhvdWVRsieyJz3jqlgDTwNPynAfWaJVkHF5+IVd1THVMQGvgGhBFEEU"} @@ -124,7 +124,7 @@ 00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":819,"source":"pps.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838373,"flow_dst_last_pkt_time":1467353136837852,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838373,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFQAAIARBODAqHMI2j0nV1kJRXwAYC8EWABVcnEAAAAAx2bnNgcAAAAAAAAAFJfHSwLp2roy68F8GXs9tGoAAAAAGAAAAAYAAAANKAICAAAAAwAYAMCocwgJWRcAAAsKAAAAAAAlAfAI8dQdAAAAAA=="} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":820,"source":"pps.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838373,"flow_dst_last_pkt_time":1467353136838051,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838373,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFUAAIARCQHAqHMId7yFtlkJRXwAYCbMWABVcnEAAAAA4pCy\/AcAAAAAAAAAFAQbslmKl2DoSDdZBZ9sSucAAAAAAAAAAAYIAAANKAICAAAADQAYAMCocwgJWRcAABIKAAAAAAAlAcgIZPMJAAAAAA=="} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":821,"source":"pps.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838374,"flow_dst_last_pkt_time":1467353136838171,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838374,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFYAAIARp8zAqHMItz2naFkJRXwAYEeGWABVcnEAAAAAyMXU\/wcAAAAAAAAAFADpSP+bPHc9KoW3YGEXtKMAAAAAAAAAAAYIAAANKAIBAAAACAAYAMCocwgJWRcAACUKAAAAAAAlActw35cdAAAAAA=="} -01189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":27810.7,"flow_max":108044,"flow_stddev":30607.2,"c_to_s_min":67,"c_to_s_avg":17863.4,"c_to_s_max":79276,"c_to_s_stddev":24750.5,"s_to_c_min":18436,"s_to_c_avg":57652.6,"s_to_c_max":108044,"s_to_c_stddev":26870.9},"pktlen": {"c_to_s_min":79,"c_to_s_avg":79.0,"c_to_s_max":79,"c_to_s_stddev":0.0,"s_to_c_min":61,"s_to_c_avg":976.2,"s_to_c_max":1107,"s_to_c_stddev":345.9}}} +01189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":28697.5,"flow_max":108044,"flow_stddev":30689.6,"c_to_s_min":67,"c_to_s_avg":18626.1,"c_to_s_max":79276,"c_to_s_stddev":25005.2,"s_to_c_min":18436,"s_to_c_avg":57652.6,"s_to_c_max":108044,"s_to_c_stddev":26870.9},"pktlen": {"c_to_s_min":79,"c_to_s_avg":79.0,"c_to_s_max":79,"c_to_s_stddev":0.0,"s_to_c_min":61,"s_to_c_avg":976.2,"s_to_c_max":1107,"s_to_c_stddev":345.9}}} 00808{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":994,"source":"pps.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353138757317,"flow_src_last_pkt_time":1467353138757317,"flow_dst_last_pkt_time":1467353138757317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353138757317,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"101.227.200.11","src_port":50463,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02195{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":994,"source":"pps.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1467353138757317,"flow_dst_last_pkt_time":1467353138757317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353138757317,"pkt":"TF4M6gNlABxCjnAxCABFAAUUA1lAAIAGkOvAqHMIZePIC8UfAFBKp6EFWDmKmFAQ\/\/B9QgAAR0VUIC90cmFjazI\/YT0xJmFzPTE7MiwzOzQsNSZiPTE0NjczNTMxMzgmYz1hZTg3Y2IzY2ZkZjQ5NGFhNDhkYzYwODkwOWY2OTI1MCZjdj01LjIuMTUuMjI0MCZkPTUwMDAwMDA4NTg4NzQmZHI9MjE3NSZmPTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4Jmc9MF9hYW9lZmR0cWdmZGVweGMydG52M3BpdWNnY2I0ZW9mbiZoPSZpPXFjXzEwMDAwMV8xMDAxNDAmaXY9MCZqPTMxJms9MTgwOTMyMzAxJmtwPTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4Jm49NDc5NTMxMDAwJm89MSZwPTEwMDAwMDAwMDAzODEmcT01MDAwMDAwOTI3NTU4JnI9YzQ4ODllNjRhZDlkOWVlYjlmZjQzODkxMDg1MGM0NDImcnQ9MTQ2NzM1MzExMyZzPWFlYTU2YTgwOGZjOTJlZjM2MDUxOTEyMTk0OGUwZjI3JnN2PTQuMTAuMDA0JnU9MSZ1cD0mdj01MDAwMDAwODU5MTI0JnZlPTEmdz0yLDMgSFRUUC8xLjENCkFjY2VwdC1MYW5ndWFnZTogemgtQ04NClJlZmVyZXI6IGh0dHA6Ly93d3cuaXFpeWkuY29tL2NvbW1vbi9mbGFzaHBsYXllci8yMDE0MDkyNC9NYWluUGxheWVyXzVfMl8zX2MzXzJfMV82LnN3Zg0KcXlpZDogYWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4NCnF5cGlkOiBfMjAxMg0KcXlwbGF0Zm9ybTogMC0yDQp4LWZsYXNoLXZlcnNpb246IDEyLDAsMCw3MA0KQWNjZXB0OiAqLyoNClByYWdtYTogbm8tY2FjaGUNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA4LjA7IFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKS9RWS1QbGF5ZXItV2luZG93cy8yLjAuMTAyDQpIb3N0OiBhcGkuY3VwaWQuaXFpeWkuY29tDQpDb29raWU6IHBwc19jbGllbnRfdmVyMj01LjIuMTUuMjI0MDsgVDAwNDA0PTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4OyBfcHBzX2l2aT1WazQ5TVRZd05UQTFMYVcvcFBtaFJ6OC9QNlRhcEVlbXVEOC9wTSt3Wmo4dHBMV3gzemd3cGxvL3BHYW9jU1pXVUQweEpsWkRQVDgvUHo4K3BMV3gzemd3cGxvL3BHYW9jU1pXU2owdE1TWldVejFRSmxaRVBTWldWRnRCWFQweU1UYzFKbFpOUFNaV1ZqMDFMakl1TVRVdU1qSTBNQ1pXVlQxb2RIUndPaTh2ZDNkM0xtbHhhWGxwTG1OdmJTOTJYekU1Y25K"} @@ -321,7 +321,7 @@ 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189363217,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":892,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":892,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353189363217,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50504,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_packet_id":1,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":946,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":946,"pkt_l4_len":912,"thread_ts_usec":1467353189363217,"pkt":"TF4M6gNlABxCjnAxCABFAAOkLbJAAIAGvJjAqHMIymwO7MVIAFBYgFOZMQ8QiVAYQTddVQAAR0VUIC9jcDIuZ2lmP2E9NGUzYWU0MTVhNTg0NzQ4YWM5YWEzMTYyOGYzOWQxZTgmYWk9JmFzPTE6NDU6MjN8NDUmYXY9NC4xMC4wMDQmYj0xODA5MzIzMDEmYz0zMSZjdD01MDAwMDAwOTIzNDQ3JmQ9MjE3NSZkaT0mZHA9NzEwMDAwMDEmZT1jNDg4OWU2NGFkOWQ5ZWViOWZmNDM4OTEwODUwYzQ0MiZlYz0mZW09JmZpPSZnPTAmbD1NVEU0TGpFMk15NDRMamt3Jm1rPSZudz0mb2Q9NTAwMDAwMDg1NDkzNCZvaT0mcD1hJnBwPSZyYz0mcmQ9JnJpPSZzPTE0NjczNTMxODcwNTMmc2g9JnNxPSZzdz0mdD0zcSZ1PTBfYWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4mdj00Nzk1MzEwMDAmdnY9NS4yLjE1LjIyNDAmeD0meT1xY18xMDAwMDFfMTAwMTQwIEhUVFAvMS4xDQpBY2NlcHQtTGFuZ3VhZ2U6IHpoLUNODQpSZWZlcmVyOiBodHRwOi8vd3d3LmlxaXlpLmNvbS9jb21tb24vZmxhc2hwbGF5ZXIvMjAxNDA5MjQvTWFpblBsYXllcl81XzJfM19jM18yXzFfNi5zd2YNCnF5aWQ6IGFhb2VmZHRxZ2ZkZXB4YzJ0bnYzcGl1Y2djYjRlb2ZuDQpxeXBpZDogXzIwMTINCnF5cGxhdGZvcm06IDAtMg0KeC1mbGFzaC12ZXJzaW9uOiAxMiwwLDAsNzANCkFjY2VwdDogKi8qDQpQcmFnbWE6IG5vLWNhY2hlDQpDYWNoZS1Db250cm9sOiBuby1jYWNoZQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNC4wOyBTTENDMjsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjUuMzA3Mjk7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgTWVkaWEgQ2VudGVyIFBDIDYuMCkvUVktUGxheWVyLVdpbmRvd3MvMi4wLjEwMg0KSG9zdDogbXNnLjcxLmFtDQoNCg=="} 01543{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189363217,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":892,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":892,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353189363217,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50504,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming","hostname":"msg.71.am","http": {"url":"msg.71.am\/cp2.gif?a=4e3ae415a584748ac9aa31628f39d1e8&ai=&as=1:45:23|45&av=4.10.004&b=180932301&c=31&ct=5000000923447&d=2175&di=&dp=71000001&e=c4889e64ad9d9eeb9ff438910850c442&ec=&em=&fi=&g=0&l=MTE4LjE2My44Ljkw&mk=&nw=&od=5000000854934&oi=&p=a&pp=&rc=&rd=&ri=&s=1467353187053&sh=&sq=&sw=&t=3q&u=0_aaoefdtqgfdepxc2tnv3piucgcb4eofn&v=479531000&vv=5.2.15.2240&x=&y=qc_100001_100140","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\/QY-Player-Windows\/2.0.102","detected_os":"Windows 7"}}} -01339{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1178,"source":"pps.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1467353189325739,"flow_src_last_pkt_time":1467353189360764,"flow_dst_last_pkt_time":1467353189374572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":292,"flow_dst_tot_l4_payload_len":37052,"midstream":1,"thread_ts_usec":1467353189374572,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.19","src_port":50505,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":155785.7,"flow_max":4278141,"flow_stddev":793399.2,"c_to_s_min":35025,"c_to_s_avg":2156583.0,"c_to_s_max":4278141,"c_to_s_stddev":2121557.8,"s_to_c_min":1,"s_to_c_avg":1878.2,"s_to_c_max":35765,"s_to_c_stddev":6885.5},"pktlen": {"c_to_s_min":198,"c_to_s_avg":200.0,"c_to_s_max":202,"c_to_s_stddev":2.0,"s_to_c_min":566,"s_to_c_avg":1289.1,"s_to_c_max":1314,"s_to_c_stddev":134.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01323{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1178,"source":"pps.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1467353189325739,"flow_src_last_pkt_time":1467353189360764,"flow_dst_last_pkt_time":1467353189374572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":292,"flow_dst_tot_l4_payload_len":37052,"midstream":1,"thread_ts_usec":1467353189374572,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.19","src_port":50505,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":3105.9,"flow_max":35765,"flow_stddev":9210.9,"c_to_s_min":35025,"c_to_s_avg":35025.0,"c_to_s_max":35025,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":1878.2,"s_to_c_max":35765,"s_to_c_stddev":6885.5},"pktlen": {"c_to_s_min":198,"c_to_s_avg":200.0,"c_to_s_max":202,"c_to_s_stddev":2.0,"s_to_c_min":566,"s_to_c_avg":1289.1,"s_to_c_max":1314,"s_to_c_stddev":134.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189784236,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":431,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":431,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353189784236,"l3_proto":"ip4","src_ip":"192.168.5.38","dst_ip":"239.255.255.250","src_port":1900,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01075{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":473,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":473,"pkt_l4_len":439,"thread_ts_usec":1467353189784236,"pkt":"AQBef\/\/6cBiLE+IdCABFAAHLI6UAAAER3rTAqAUm7\/\/\/+gdsB2wBt3SETk9USUZZICogSFRUUC8xLjENCkhvc3Q6MjM5LjI1NS4yNTUuMjUwOjE5MDANCk5UOnVwbnA6cm9vdGRldmljZQ0KTlRTOnNzZHA6YWxpdmUNCkxvY2F0aW9uOmh0dHA6Ly8xOTIuMTY4LjUuMzg6Mjg2OS91cG5waG9zdC91ZGhpc2FwaS5kbGw\/Y29udGVudD11dWlkOjJmNjg4ZWNlLWMwYjEtNDEwNC1iOWU1LWNiY2VlNTAzZTZiNA0KVVNOOnV1aWQ6MmY2ODhlY2UtYzBiMS00MTA0LWI5ZTUtY2JjZWU1MDNlNmI0Ojp1cG5wOnJvb3RkZXZpY2UNCkNhY2hlLUNvbnRyb2w6bWF4LWFnZT05MDANClNlcnZlcjpNaWNyb3NvZnQtV2luZG93cy82LjIgVVBuUC8xLjAgVVBuUC1EZXZpY2UtSG9zdC8xLjANCk9QVDoiaHR0cDovL3NjaGVtYXMudXBucC5vcmcvdXBucC8xLzAvIjsgbnM9MDENCjAxLU5MUzowMDI4NWJjM2MzYmEyMDcwMDdlMWMzYjc2MjFjODQ3Ng0KDQo="} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189784236,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":431,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":431,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353189784236,"l3_proto":"ip4","src_ip":"192.168.5.38","dst_ip":"239.255.255.250","src_port":1900,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}} @@ -407,7 +407,7 @@ 01085{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1461,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196856069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353196856069,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"preimage1.qiyipic.com","http": {"url":"preimage1.qiyipic.com\/preimage\/20160506\/f0\/1f\/v_110359998_m_611_160_90_1.jpg?no=1","code":0,"content_type":"","user_agent":"Qiyi List Client PC 5.2.15.2240"}}} 02213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1462,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":2,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196917508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353196917508,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUDjVAADgGss\/fGmoUwKhzCABQxlp7yE3nmzJ751AQAB9cGQAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFFXUw0KRGF0ZTogRnJpLCAwMSBKdWwgMjAxNiAwNjowNjozNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDY2MTIxMQ0KQ29ubmVjdGlvbjogY2xvc2UNCkV4cGlyZXM6IEZyaSwgMDUgTWF5IDIwMTcgMTc6MzU6NTUgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTMxNTM2MDAwDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KTGFzdC1Nb2RpZmllZDogVGh1LCAwNSBNYXkgMjAxNiAxNjoyMzo1NSBHTVQNClgtQ2FjaGU6IGZyb20gMTI3LjAuMC4xDQpBZ2U6IDQ4ODM0NDENClZpYTogaHR0cC8xLjEgUVRTIChRVFMgW2NIcyBmIF0pDQpYLUNhY2hlOiBmcm9tIDEwLjIyMS4zMi4yMTYNClgtQ2FjaGU6IE1JU1MgZnJvbSAyMjMuMjYuMTA2LjIwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU\/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU\/\/4AC3FpeWkxLjAuM\/\/AABEIA4QGQAMBIgACEQEDEQH\/xAAeAAACAwADAQEBAAAAAAAAAAAGBwQFCAIDCQABCv\/EAHAQAAEDAwMCAwUEBAoDCgcAIwECAwQFBhEAEiEHMRMiQQgUUWFxFSMygUKRobEJFiQzUmJywdHwJYLhFzRDc5KywsTS1CY1U2Oiw\/EYNkR0g4aTlKSz01RWZGZ1doSjtBknRUZVhZWWxdW14jdXZf\/EAB0BAAIDAQEBAQEAAAAAAAAAAAUGAwQHAgEIAAn\/xABKEQACAQMDAQUEBwYFAwQBAQkBAgMABBEFEiExBhMiQVEUYXGRIzKBobHB0QcVJELh8DM0UmJyFiXxJjU2Q4KSF0RTc6LCY7LS\/9oADAMBAAIRAxEAPwDytAyeNWtFoU6vyTFgRlSXcbsJ9B8fl+eqxHqdN32eupf+5vW5UmPVHaHUHUpMapNHCmlDdxnBxnP7NTSEouRRHT4I7mdYpW2g0MdQukl49JKsmm3fb0+gS3BuZ97aKUPpwDubWPK4MKHKVEc6GfB+71qP21vapV7RkmgxSmNKRQ8iNNSkh8JU22lxLigdq962\/E4T5c4BOs+RYyXt+9GvEJIzXtxb9zIY85++q2mvKhvb0f6yf6Q1fvM+8sb2vwajqp2x9KEaMLI6f1e5vG9xjq92\/SfdVsZCvmo9z8k5+mpopSG2jmvYSyHaelDtuyUwH0vLXs82ngvqqxcNDk0eP4PljJZU\/wCH5nMjBx9B66X\/AFL6K3H04lNe+x25cNxhuQ3JiKK0bVDI3DgpPxyPz0GUyqzaa9vjp93WrCfER6D4jRLayjnijVvclPAKOG4EOlTUKQvwv6qv0vppy2vUkLpxXv3o2+XSltd5ittlC0KkPf8ACSZPJ47AZ9NGTdbjURtq"} 02220{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1463,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":3,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196917511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353196917511,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUDjZAADgGss7fGmoUwKhzCABQxlp7yFLTmzJ751AQAB+1AQAAFHWnfu3ebsPmflqKi8LbOppt0aSln8a0oQnzOKX6fXTzo\/s7tX30MrdPrafdJ9wOpqEVa0+eCttATGWR8cDKh8HCNIf2Y7kse++qsW3Z9ZRJmISqRHhlv7ua8gbtu88KwMqCRndtPwwr0FYe3t6IW8WfGaEajdpKO6T7a8f7q6eXHYM73S46PKpTyVFtK32z4SyP6Dn4VD6HUejUGdXqrT6VTI\/vdSmvtxYrHiJaC1rVtGVnhKfUlR4AJ16QVv3OsV+5oM2OzU4HhtpejSW0raWT2G05\/CnHPx0obh9myNSbjod09Pap\/FmsUupt1BtqSFvxFhIVlBSDuGc4POMZxg6\/XEcyITHyaXYrUM4B6Gst3D0dv22KjesSo2u6f4mtIdrsiFKafZjNrwULQrI8Tck7ylIyACVAaiTOjt7U2gUet1O2pFNpVZYVKp8lx5twPNBIWVHYo+Gdp3bV4OAT6a0xfk3q\/SqN1XjzmEVOHe7qXEyae+XGKY3w2pLbYTkbmQG1KIB8iTyd2lNevUKq1roxZ9hNOOsfYa1eNIShLQeSlstNIGw5O1CnASr8W7nOlh7u7jOGFMEOl2hfEkoApQO9P60p+VHRCeW9Ec2SG0srUtlWCdqwE+U4B4Vj8OhesUp+lSlx5aPCeR+JH6Q5wQfgc8YOmdXrjbcYne5Ux2lTJLiXHJbVVkuLOM\/i3K8xIJGVZ+Whhi7ZNK97Rs94XJTtcddcO4\/iJyfiSrOdXLa6mdvGK5v7Kygi320m41QWoypc57\/iT+8apK8zsqsv\/jDpm2pcKnrVl09bSdkbwvvd310AXb\/41P8AxaP3aMQybnNCnTFuDTCmX\/AehhjDIbSAPKnVJGrkeoyvd4EUynsZ2oT6D4nPH5n5aB6xc36KEI3fQaNvZ9v2pWncEydBmyKVU3Ep92qEfylsjdxnHGd37OdCJbRljMvU0q6Zo8N7cql0+1T5129VKLc\/Syqil3Xa9Qt6Y4kqZEyPtQ+njzNODyuDBTkpJxuGdLxuRMrLm2NCed3f0Ua2H7T3WGX7SU6g\/bURj3OhpKYcnGJKkqabS6HFA7Vblo8TAAx2ydKmO5DpLKWocZKNv6WdWraPwBzwa8vLeGwmMKDcR6HNLKkWS6k+LPgSD8vTRRGTIZ2tQ6a6P7RGNXc64okVKlPvo+m7QlVup7Dfkjqb\/I6u7iPOh+55T9XirgVKTSfPK4\/qJc1El3vLmJU2xD\/1lk6Cn788Zwq2hav62Tr4Xw5t8qUj\/V1x3j\/y8VaEMnklWFQg1yY2l9X3TKzhPwOO\/wCrOulNLqCW9q5pS38E5xrn\/HR+bQfdURl+9Ik+MiUCQkp27S3t7ZJwd2dc7URUalWIrlTZe+yVFXiOKSdnrjJHzx664DsR1oitrcEgAYqJ4K4v4Xx+rXwlFKfM\/wDs0YdYLVi2\/R6VPpjS\/DlZS67HytltSOVZVk4J3JIB+fOlYZC9vm8356mTGM1O9q8bbSc1bSFNq3bXV7tdLCXHlbfHA4yVHOAB+v8AdqvebmNspfcQUtr7HXFp7wVbtxV6HUrHCHb1qxDGAw39KNZfTyrU1Q94TGRmImaFLfH8yr8Kvz+HfUumWDVqp44YfiL8BxDToEgJCFKKgkHPx2q5Hw510nqOxJTJT\/Fqmp8SP7sOM+HyrCx\/X8xyeO6vUjFt"} -01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1492,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196981279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353196981279,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8922.0,"flow_max":115683,"flow_stddev":24807.3,"c_to_s_min":115683,"c_to_s_avg":115683.0,"c_to_s_max":115683,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":4815.8,"s_to_c_max":61439,"s_to_c_stddev":13558.3},"pktlen": {"c_to_s_min":303,"c_to_s_avg":303.0,"c_to_s_max":303,"c_to_s_stddev":0.0,"s_to_c_min":1314,"s_to_c_avg":1314.0,"s_to_c_max":1314,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01325{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1492,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196981279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353196981279,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":4815.8,"flow_max":61439,"flow_stddev":13558.3,"c_to_s_min":0,"c_to_s_avg":0.0,"c_to_s_max":0,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":4815.8,"s_to_c_max":61439,"s_to_c_stddev":13558.3},"pktlen": {"c_to_s_min":303,"c_to_s_avg":303.0,"c_to_s_max":303,"c_to_s_stddev":0.0,"s_to_c_min":1314,"s_to_c_avg":1314.0,"s_to_c_max":1314,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353197131515,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353197131515,"l3_proto":"ip4","src_ip":"192.168.115.1","dst_ip":"239.255.255.250","src_port":50945,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_packet_id":1,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1467353197131515,"pkt":"AQBef\/\/6dNArkea6CABFAAChc\/sAAAERIa3AqHMB7\/\/\/+scBB2wAjWbYTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00901{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353197131515,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353197131515,"l3_proto":"ip4","src_ip":"192.168.115.1","dst_ip":"239.255.255.250","src_port":50945,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}} @@ -423,7 +423,7 @@ 01085{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1998,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198532645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353198532645,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"preimage1.qiyipic.com","http": {"url":"preimage1.qiyipic.com\/preimage\/20160506\/f0\/1f\/v_110359998_m_611_160_90_2.jpg?no=2","code":0,"content_type":"","user_agent":"Qiyi List Client PC 5.2.15.2240"}}} 02225{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1999,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":2,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198595498,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353198595498,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUAJVAADgGwG\/fGmoUwKhzCABQxlwKAEr9wq8jr1AQAB\/+YwAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFFXUw0KRGF0ZTogRnJpLCAwMSBKdWwgMjAxNiAwNjowNjozOCBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDY4MDQ1Mw0KQ29ubmVjdGlvbjogY2xvc2UNCkV4cGlyZXM6IEZyaSwgMDUgTWF5IDIwMTcgMTc6MzU6NTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTMxNTM2MDAwDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KTGFzdC1Nb2RpZmllZDogVGh1LCAwNSBNYXkgMjAxNiAxNjoyMzo1NSBHTVQNClgtQ2FjaGU6IGZyb20gMTI3LjAuMC4xDQpBZ2U6IDQ4ODM0NDINClZpYTogaHR0cC8xLjEgUVRTIChRVFMgW2NIcyBmIF0pDQpYLUNhY2hlOiBmcm9tIDEwLjIyMS4zMi4yMTYNClgtQ2FjaGU6IE1JU1MgZnJvbSAyMjMuMjYuMTA2LjIwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU\/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU\/\/4AC3FpeWkxLjAuM\/\/AABEIA4QGQAMBIgACEQEDEQH\/xAAeAAACAwADAQEBAAAAAAAAAAAGBwQFCAIDCQABCv\/EAG8QAAEDAwMCBAMEBAgGDQUCHwECAwQFBhEAEiEHMQgTIkEUUWEVMnGBI0KRoQkWJFJyscHRJTNigsPwFyY0Q3OSssLE0tTh8TVThqKz0xg2RGODhIWTo6S0J1RkdHWURnYZN0VVVmVmlZbF4tUp\/8QAHQEAAgMBAQEBAQAAAAAAAAAABQYDBAcCAQgACf\/EAEcRAAIBAwMBBgMGAwcEAQMCBwECAwAEEQUSITEGEyJBUWEUcYEjMpGhsdEVweEHJDNCUmLwFiVy8SY0Q1NzNYKyosJjg9L\/2gAMAwEAAhEDEQA\/APMptJVH130SjzK1ODEJhT7nfaPYfU\/36sLbZpa5kcVlcxmmZPnLp7aFPYwcbQogZzjufnpudML6tTppWVy7NuK4oNWd+7OqUFmN5GAcbVNvOHnPOQB9dazqvexW8bxLlgK902GK6uRDM20HzpX9Quk14dJ6+mm3hbs635Lw8xn4xrah5PHqbX91wcpyUk9+dVO39FrVXio8T1teJOo0iFdEycw1Qk4p82j0xuVIUFNoS8h5S32knctsODaDjdjSXTR+mhR\/8EV3\/wCdb0Q\/9O132ZlLRu0gOSfSoNQiW2mMQOflzSwqSfu64U5Pq0xp1E6YHG+6LuT\/AOjUX\/t+umJROmSVei6rsV+Nsxv+36hlUfxbf5VSDjZ0oKmp\/Qq120RP8lV+OjiVR+nKm1brouhH\/ozGP\/T9fU2j9O0x1eXdVzrTnv8AxYj8f\/R+j\/fKmqCTB+6fKoi+UxQFTU+pz8TqJKZP2n+f9+mRBo\/Tncry7suVfJ\/\/AAYYH\/T9R36H02+L3Ku250q+"} 02234{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2000,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":3,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198595505,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353198595505,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUAJZAADgGwG7fGmoUwKhzCABQxlwKAE\/pwq8jr1AQAB8TPwAAQtiP\/X8fofczLJZRL\/v\/AJ10rgMaH2Gf0Z1VVRnTPjUywEtnbclzqH\/4txv+36rp9H6bKz5tz3WP6Nsxj\/0\/TXrE0cmn7QD09DVaNjvoBpjfp1znU2VIcOxhxTO3cpxDZUEjnvgfQ9\/kdMGm0bpqlI2XLdrn\/o5FH\/T9HQ6yUG2uklRsGHVriXDly3XBJfo0UFplaUZbSBKJGVpWo+rH6Q8ZJ0lao8w0NVtwc5GeOMfOiVqYmnxKcCg6odBbrtWm0V+ox2Gm6o0XGFCU2spISpRQ4kEqaWEDdtWEn8+Nc5fQi6E7EFMNCluIaAMtGQpRwnPJ4ORydHnUzrNSes\/2KupyKzGZp0NDO+PSY6nZDqRtLrizKHcfvJ1Uzn6DNoUaGmnXP5aWkJakx7dYSp1KVbgorEkhWT3Iz31Qgve0ENiqumF8sjyo+kejk5Lkmq1fhC6hU9DqlM0xzccFLc9ClcKAPGP8odtLOv2vPs6vzKPUUoTMiq2u+UrekH6Ht+zTeVVqHU0T0NWpcm6WzjezbzSVoHqTvQQ7nPqwT+3Vr0XtGkXqK5FtuDc9TktNIVML8unxEoQd4QEl1RGSQc89wNRaRfTWzCa7P2a+f1qneLaFMW2S1Z3nt418lHoT+Gtf0\/wxVG94D1sU62a09IhOtMeWu5qQlYdU0h0cc7glDyCvafzJ1lao0ldLnTYT6C29FecYcRuC9qkKKVDI4OCDyANaFpeo2mrXEq27ZIFBGR41BcYodQCY6tSKJSJlZnCPBjqfe+8Up9h+P9+rC3GqUufH+2lzG6Zk+caelCnsYONoUQO+O5+em50yvu0umdZVMs64rip1Wd5TOqMNmP5GAcbVNuuHnPO4AfXSjqxlggSSJcsBRTTYYrq5EMzbQfOlb1E6TXh0kryKbeFuz7flPArZ+MaKUPp49Ta\/uuD1J5ST351UJb9OtW+KrxO2z4lKjR4d0TZzTVCTtp02jU5qTIUFtoS8l5a32knctsLG1JxuxnSURR+mpSn\/AA\/d6f8A5QxD\/wBN1x2ZlLJIzqck+lQ6hCLeXuwQcenNLCop241wgJ3uaZU2i9MDjfct3J\/9HIh\/6frpi0bpilz0XPdh\/G2ov\/b9cygfxbd5VSD+DFA0xH6PUijJ\/krn46NplG6cKbO66LpH4WzGP\/T9cqZSOnaWHPKue6Fc\/wD7Mxh\/0\/R8TKmqB8H7p8jUJbKYoCpbf6RzPz\/t1Ekt\/wCESPqNMaDRunO9zy7nuhfz\/wBrMf8A7frpfofTb4w7rqugOZ7fxZjH9\/x+hlzMr2US\/wC\/+ddK\/iPFDjDPp1VVNs86aLFM6fBO1Nx3Qf8A0cjf9v1XzaN02P8Ajbmuwf0bai\/9v026vPFLp+1c9PQ1DGWDcil9SmztPOu6bTZMhYUhhxTIG5TiW1KCRz3wD\/qNHtOpHTNI\/RXDdzv\/AKOxU\/8ATjo5HWShW10lqVgw6ncTkOXLecTJk0mNlthaEZbAEknJWlajzj1n3J0l6o8x0RVtwc5GeOMfOiFr3bT4mOBQhUOgl1WpTaK\/UY0dpuqtFxgolNrUkhKlFDiAoqaVtGcLA\/brnK6FXQnCFIhoUtxLQCpSM7lHCQRk98jv20ddTes1M60fYqqm9WIrNOhts741LjqdkOgbS64syR3H7yc6qZ0mhzKDFi\/ZdylkMIQ1"} -01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2029,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198686720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353198686720,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":26264.4,"flow_max":581329,"flow_stddev":108027.9,"c_to_s_min":581329,"c_to_s_avg":581329.0,"c_to_s_max":581329,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":5706.5,"s_to_c_max":62853,"s_to_c_stddev":16390.1},"pktlen": {"c_to_s_min":303,"c_to_s_avg":303.0,"c_to_s_max":303,"c_to_s_stddev":0.0,"s_to_c_min":1314,"s_to_c_avg":1314.0,"s_to_c_max":1314,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +01325{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2029,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198686720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353198686720,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":5706.5,"flow_max":62853,"flow_stddev":16390.1,"c_to_s_min":0,"c_to_s_avg":0.0,"c_to_s_max":0,"c_to_s_stddev":0.0,"s_to_c_min":1,"s_to_c_avg":5706.5,"s_to_c_max":62853,"s_to_c_stddev":16390.1},"pktlen": {"c_to_s_min":303,"c_to_s_avg":303.0,"c_to_s_max":303,"c_to_s_stddev":0.0,"s_to_c_min":1314,"s_to_c_avg":1314.0,"s_to_c_max":1314,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2456,"source":"pps.pcap","alias":"nDPId-test","flow_id":98,"flow_packet_id":2,"flow_src_last_pkt_time":1467353196348641,"flow_dst_last_pkt_time":1467353199417673,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":275,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":275,"pkt_l4_len":241,"thread_ts_usec":1467353199417673,"pkt":"ABxCjnAxTF4M6gNlCABFAAEF4D5AADEGSkB7fW9GwKhzCABQxlcB794psg4Z21AYPLiOgAAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFRlbmdpbmUNCkRhdGU6IEZyaSwgMDEgSnVsIDIwMTYgMDY6MDY6MzggR01UDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47Y2hhcnNldD1VVEYtOA0KQ29udGVudC1MZW5ndGg6IDI5DQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXNzLUNvbnRyb2wtQWxsb3ctQ3JlZGVudGlhbHM6IHRydWUNCg0KeyJkYXRhIjp0cnVlLCJjb2RlIjoiQTAwMDAwIn0="} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2545,"source":"pps.pcap","alias":"nDPId-test","flow_id":106,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353200271229,"flow_src_last_pkt_time":1467353200271229,"flow_dst_last_pkt_time":1467353200271229,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353200271229,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50781,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00844{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2545,"source":"pps.pcap","alias":"nDPId-test","flow_id":106,"flow_packet_id":1,"flow_src_last_pkt_time":1467353200271229,"flow_dst_last_pkt_time":1467353200271229,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":303,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":303,"pkt_l4_len":269,"thread_ts_usec":1467353200271229,"pkt":"TF4M6gNlABxCjnAxCABFAAEhNFdAAIAGSKDAqHMI3xpqFMZdAFCAFVM2Sak8SVAYAQQb1wAAR0VUIC9wcmVpbWFnZS8yMDE2MDUwNi9mMC8xZi92XzExMDM1OTk5OF9tXzYxMV8xNjBfOTBfMy5qcGc\/bm89MyBIVFRQLzEuMQ0KVXNlci1BZ2VudDogUWl5aSBMaXN0IENsaWVudCBQQyA1LjIuMTUuMjI0MA0KSG9zdDogcHJlaW1hZ2UxLnFpeWlwaWMuY29tDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANClByYWdtYTogbm8tY2FjaGUNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXB0OiAqLyoNCg0K"} diff --git a/test/results/psiphon3.pcap.out b/test/results/psiphon3.pcap.out index eced0a008..d9ae77f36 100644 --- a/test/results/psiphon3.pcap.out +++ b/test/results/psiphon3.pcap.out @@ -7,7 +7,7 @@ 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079143404,"flow_dst_last_pkt_time":1613865079140404,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613865079143404,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01233{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01632{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":2422,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","alpn":"h2,http\/1.1","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}} -01223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":998,"flow_avg":50147168.0,"flow_max":1052879685,"flow_stddev":224217808.0,"c_to_s_min":998,"c_to_s_avg":81000840.0,"c_to_s_max":1052879685,"c_to_s_stddev":280557280.0,"s_to_c_min":1389,"s_to_c_avg":9953.0,"s_to_c_max":25852,"s_to_c_stddev":8168.3},"pktlen": {"c_to_s_min":40,"c_to_s_avg":155.4,"c_to_s_max":1048,"c_to_s_stddev":236.0,"s_to_c_min":40,"s_to_c_avg":434.4,"s_to_c_max":1500,"s_to_c_stddev":539.8}}} +01199{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":998,"flow_avg":10543.0,"flow_max":46102,"flow_stddev":11726.4,"c_to_s_min":998,"c_to_s_avg":10936.2,"c_to_s_max":46102,"c_to_s_stddev":13576.2,"s_to_c_min":1389,"s_to_c_avg":9953.0,"s_to_c_max":25852,"s_to_c_stddev":8168.3},"pktlen": {"c_to_s_min":40,"c_to_s_avg":155.4,"c_to_s_max":1048,"c_to_s_stddev":236.0,"s_to_c_min":40,"s_to_c_avg":434.4,"s_to_c_max":1500,"s_to_c_stddev":539.8}}} 01636{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","alpn":"h2,http\/1.1","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}} 01152{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":62,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":30,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079845431,"flow_dst_last_pkt_time":1613865079841273,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3700,"flow_dst_tot_l4_payload_len":5574,"midstream":0,"thread_ts_usec":1613865079845431,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":62,"source":"psiphon3.pcap","alias":"nDPId-test","packets-captured":62,"packets-processed":62,"total-skipped-flows":0,"total-l4-payload-len":9274,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1613865079845431} diff --git a/test/results/quic-28.pcap.out b/test/results/quic-28.pcap.out index ef83ab668..545f623d3 100644 --- a/test/results/quic-28.pcap.out +++ b/test/results/quic-28.pcap.out @@ -5,7 +5,7 @@ 01103{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474847575,"flow_dst_last_pkt_time":1591267474847575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1200,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1591267474847575,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.wireshark.org","quic": {"tls": {"version":"TLSv1.3","ja3":"1e022f87823477abd6a79c31d70062d7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-28,h3-27","tls_supported_versions":"TLSv1.3"}}}} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1591267474847575,"flow_dst_last_pkt_time":1591267474861209,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1591267474861209,"pkt":"bmImQfCg7jdRvai\/CABFAABL8YhAADkR0gRoGgvwCgkAAgG76soANzParQAAAAAUQMS6Zy9FF9Xn7IIP1UsQeHX9qMwQgoOBp4aIL+MPCXOdR4KiF\/8AABs="} 02122{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1591267474861366,"flow_dst_last_pkt_time":1591267474861209,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1242,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1242,"pkt_l4_len":1208,"thread_ts_usec":1591267474861366,"pkt":"7jdRvai\/bmImQfCgCABFAATMbsJAAEARSUoKCQACaBoL8OrKAbsEuILewv8AABsQgoOBp4aIL+MPCXOdR4KiFxRAxLpnL0UX1efsgg\/VSxB4df2ozABEgps603pxkyOuWqOuDCBHqFD5j6Z3HbedH1LdiS7r9g7eF1q+4GbQDzwEnV9STArM0Em4niSxcOP14YGEMbCxBeurtCEC8Tmf6DBDqyOKEQqlh98RR0FuyctJCM99u6oRT6urYJjdL6PSSu3YTL8HY6NviKj+LkpdTz6KmCgYvbgKd7NEhPEXmVYO+dL7mTC6YtcnEsrAHQU704mlKvqtFGL2\/5msnq\/TWBIk6bybV0DxYkGzE2Dnlwtw+dvrt9SpZJQBYmvuqQWRkw7Xl0Ri5Ou\/YH0Nf3CEwfW93dKkzcyI\/xYg9i+2QKy1ICjIZ\/JAWTdEHFRK8O6Gl0vStYOHFWBxnM\/YifVgYZg0OsrKE2RfzjKKmCKUpNz\/eEInpy3g7Oy6BASDjgCLyqH4KHC0RkRyxMeAwO\/4Ueuev5PR+GIZT6RPX+8eDG+GEJz8bGHJ80oLKupj5MfUtk1+qegg2dzVfHgOvprBxIArXCNmBUVNivV7wlObqf87COabZiPrwNrq3bed\/ALhpVnLbXDu3mPYFozof6hWLQUSRUCvRIP+L3zyyxfAOLZZ711TySAZxpgSSNbMb5wMga2ZxBCZGIiJBujBs0RFh65ea1D90334s1gOATeyFD6G0Y5nni0vv93RqV0rCUx5NmKsmees6Lb5Tn92zzlLElQ0tJj8i0NV+A1o9UmRJisTfKPDHGhnjIKCy7tWmA\/6WnyjC5MVpEofvbOp6VSLzrYFEbs4xO0nP5EWcI9akrhkBkR4BVPvA3BR\/JNC6qdA6XjZq7vEC4PK42e5TCzz\/lS4AoqV6qY+iOUqeRm\/KZeFGwLXw2YBxOFGvLQSYLCrM0JT+ZZ\/+YM0cgNTb4UsfslWeAa\/dEDn2K0d5vlVIufoqB2DscZriUDfkBrMe3p2BYO28jOG0dIt\/\/+wVszbGGjaG2DAkiTDrcM67+fz7k2j14PiNbU6+l0I0CfyoRbB67XXdFnPllMtNEGiR4aBRcQCCchbCVwdD7xGfKg8VLCKykEzUES\/y7hiagE2xpKTSbAUtzMYTnIbSLikbFGyfUOpyFdt16r3gk3qkldqup8CI9vmdvD1rvxsFHFdQKlm4ct28WVqNsM7AcMCYS4IdY3fjlHdgQeFzGauOLiE2HquU8FAgRipNJCs2vXSgmlj6qxAuSretb3YYCFUtS5vV7VhzZ\/si5aRaf72K7CkGDHBs9yzIrPzdtDp1CIjAcpqkTgTiqw5a7bneWQdm6knt9coPgKABTdfR1Wfei0Q3edydbubwRd1QyG5zjI0T9bXVZf85BmVvZ\/oiH86E0oC1c6Hyl3M4ke1W9+ncVNagK7XEVU\/lQ9u6NvkLWq7c7LzCfIQKMjglkD6IZxuZzbgX+IVXu+2\/W0iJnR1BIZqRhI1sURkCMk5kSbefJtA\/3ss1rR1eV5WU9Nj63Lk8fki45wlDZBMYeXWKNBze+M4K2DVnLaUMILrXDsu6YTHRFaaXufk6rRMF0IUC\/p6LhqvtpFhBb7T6xRXz1tVkXrpMYBZz4xjGSbfGjFB"} -01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474935131,"flow_dst_last_pkt_time":1591267474949617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1197,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":5362,"midstream":0,"thread_ts_usec":1591267474949617,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":111459544.0,"flow_max":3566515783,"flow_stddev":620546368.0,"c_to_s_min":8,"c_to_s_avg":274354112.0,"c_to_s_max":3566515783,"c_to_s_stddev":950365184.0,"s_to_c_min":2,"s_to_c_avg":5370.6,"s_to_c_max":19948,"s_to_c_stddev":7139.0},"pktlen": {"c_to_s_min":85,"c_to_s_avg":372.5,"c_to_s_max":1242,"c_to_s_stddev":477.0,"s_to_c_min":85,"s_to_c_avg":324.2,"s_to_c_max":1239,"s_to_c_stddev":385.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474935131,"flow_dst_last_pkt_time":1591267474949617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1197,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":5362,"midstream":0,"thread_ts_usec":1591267474949617,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":6116.1,"flow_max":20960,"flow_stddev":7174.9,"c_to_s_min":8,"c_to_s_avg":7296.3,"c_to_s_max":20960,"c_to_s_stddev":7072.4,"s_to_c_min":2,"s_to_c_avg":5370.6,"s_to_c_max":19948,"s_to_c_stddev":7139.0},"pktlen": {"c_to_s_min":85,"c_to_s_avg":372.5,"c_to_s_max":1242,"c_to_s_stddev":477.0,"s_to_c_min":85,"s_to_c_avg":324.2,"s_to_c_max":1239,"s_to_c_stddev":385.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":253,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":219,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267477602863,"flow_dst_last_pkt_time":1591267477602221,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1200,"flow_src_tot_l4_payload_len":5428,"flow_dst_tot_l4_payload_len":230739,"midstream":0,"thread_ts_usec":1591267477602863,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00564{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":253,"source":"quic-28.pcap","alias":"nDPId-test","packets-captured":253,"packets-processed":253,"total-skipped-flows":0,"total-l4-payload-len":236167,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1591267477602863} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quic-33.pcapng.out b/test/results/quic-33.pcapng.out index 74f398999..d6217ab69 100644 --- a/test/results/quic-33.pcapng.out +++ b/test/results/quic-33.pcapng.out @@ -5,7 +5,7 @@ 01387{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456563491,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1607938456563491,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","quic": {"tls": {"version":"TLSv1.3","ja3":"0299b052ace53a14c3a04aceb5efd247","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}}}} 02197{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456566304,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"thread_ts_usec":1607938456566304,"pkt":"AAAAAAAAAAAAAAAAht1gLBAvBNgRQAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABEVvI5gTYBOuKAAAAAQijB72XkxHdoQg7VxcI2Jvc+wBAmyNACkF8YFqpKbrULKoDb19+uZg6qvjJtwEJ\/uOaQSa3OSU6O4kzdS3stlDlI1x0pxU6U1p+48IkszqoivEYtB69bd+ITaYbTkxaelp3jMONrgP7+RVKaRNSt1HkpjhOcLPrzWczoHNZnIhNfvDy2JT2t08AucggcJe2\/4B\/vdnrtpqK6V\/yqwGFTMu1rQIkxS92C6tKauoy9+VqrwAAAAEIowe9l5MR3aEIO1cXCNib3PtEAuCsTgG\/NlsvOl6GJP2fa9o99BT145OKWZuTcmr433tc4jI7eA6S9XkiunJFKo6ZwPI0CMllqhzpZg\/M2oExoGin\/1BGN9cmCUQfuYgNqfFCtG+9ndT9HYjrsBCdjtJLmxL7rPr9q0tjGpDyuXZi9R4mNROPUrln\/PkhZzgiM0sHtdd5p\/bNeUYtEqE7ldAVt6\/n44lU+YN3SU+JWXbqssVrfvVzr36h3ab7fYZ2wDsFWfe3UAXx72w0FuOOYB7+7UQe00b5Z0z5SyfSm4P9dPYqojw9+jCHeJHd8IAkR4khzwJfJ3q7ZLCXjemRtbjS+jOnIFHSC581L8cRfFE0puRn3ZcyA6eigK1\/b\/IulmnDweMhm5uzPfRzVpuYtDAmfupBBO\/lq0x9UE6G6aXlrZk5pUsV\/Pqkms2\/6G+WtFFZQVjHMyjk00Lt801D4RBFQF6Pahphh1rFyerbrHyGpVjzLCCjQyphY+Ef9GwnSwZSXfDtl5l6V75F8hdBb7eRQwoSsYy2TAPUn+5EgUUMa1L0FdqwqulhpTwuiKxlEjCwVmTxOQ9cg0ckmklTggiUpDihR6CGEJh4wbwQvtSQI7moaNImb3zhI+1KDCqOesSmC0luDPiQ6HVXRRmZBTcfdXaVe6yn8aOTSuCvFQcYVZJMmDXWA3tjd8oaA17lJRBbd52Hesk8cJ\/YJxx85q2dKnHlb3PDDd1GsYUOHckqW9oBPW3OnKOCPAmLbdAwZewxw5NCtlvRr65YuEBJebGFHlf1HDlzUGnZEYOFz7QCUVI0Cm1TQGPnrse0LdnJMU4XAsVFTZ0rmN1WZ7lpL6siOc2kDO70InGs0erREqxP56ACsZJMVSLIWh+Wtd1TXT7s1cqcJTYFE1niy2vrWekG6gLj5S6d+RexzQMJFxrY7r+11SACpmCHMFInRkZ2X9ItKQsY5EbZalkFRVlIPVyM4egzMKz9sn52T\/vMFKgNzwFrf2sp17iUQaz1IyM4BWPhByUmfVEtsPpNhTudVAjT+DAK93H3WyrArXi\/C2kIO6kQjQL8MrdQf21Vn+lMg29055+PrObIIyJyGedJEXiBJHhcPUZyzw5wKIN3qGujdkkwR3NWZGQsR9D9oFcHebuLVvyY9rfcmZsewBxwBuE+3j7ZET5hnurVax3LpMwvKOC7lHimTxsExq+Apn9MfGeNafcclrRpd8qOhu5Y\/D9oPxLb43JPWxWrwE9\/H\/\/i9MLl+t0zWNInh13oyE1g07E++NmYobon6Smh\/KGoGULC6seHfmLDTFHYkzCH+jMiW6zoYiu7MVxzW\/pT13bjivVb6\/E5Iu6Gt0D2z7Y6bkUG7P9GxtXA2I4cOhOe8m7St\/U9gg=="} 01532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456566431,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":805,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":805,"pkt_l4_len":751,"thread_ts_usec":1607938456566431,"pkt":"AAAAAAAAAAAAAAAAht1gLBAvAu8RQAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABEVvI5gLvAwKiAAAAAQijB72XkxHdoQg7VxcI2Jvc+0EX7RIgJstg2q\/pC81tAEQflatapq\/RZQEybKUVkOQrHxIiM3xbz3ZbafCyVgp9YFd+JrcvMCpFHqt9ha4UaWT\/CVOhVDMl+x8Qz2Pi7UbhXXzBIpETH8Z7GAVhwJp3720klhijkJwcoDMcJhlagIc47WtHZyC2\/NvYhyD6pe18qYPoUjuwqv+wJE\/ZuFV52ejpLWx76nNhIhGaoM22WiUW2N20UYQh0kubnK8ydedmguDEIxF73mmjfBjQU7d+\/kjc6w69nvaNM1WUtVe+1pIxu53jikC+jWmnb37byYPq9yuXiC3\/7jLmxfDtd9m0NACttAKJA\/JNnc1mj5nC7Y4hcumqIR3HrbC6nuLoYsXX2Zp0f9UgYV0fEqMHvZeTEd2hiKBY6bJdCuJKiCqdgeiTl8HqX5mvvlLWJPlmCEJCqIrxf4AkkUVGE4BSMBWdBgCOEniMLjdilc+qHYhwYNZ7tIGoZF6d6e+Y9Yje+rmHUnbpVz7jAirlBT5H70Gx8i7gxMgFdddmzogwCmelHc7wvmzlC3bbPNEkyFgFvBjt104z4kXXH0FdVNTjvLWqMrMbCISgSyaKcGImnAuSczuqI+IdDAVMV3KZetnbRYTODT0MnkiyhjZS2c2FGhXiSczCoL+nOf5G7u0IMQ1S2B5gWkWA4zkPvuFc+aQWgo\/5D9qUsPB6Q6\/Lj7MI5fOlLauhfzQmW9GNJRpuqdg3\/ZmECJ9z4HnHnfJd1luO6tXDuMawQhxYeD2xpO\/QqBEAH7sAsFTq\/abn1uTe8vqVNYsZRf0hwJAKRW\/BJxg25OGxhUlcywIb3vGZoq+dJmTxYWX\/eqXVDs+dco62ygOlroB9wJoypHt\/D+y7eYcgKaWYE3hnP28kNmmEQuWhfqoLHNJTZas1p5oY5kezaxnU27xSuQXqGdvZdYxhIaICM8EHXUKIOqW8fx5oue03v9+86w=="} -01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456569390,"flow_dst_last_pkt_time":1607938456569730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3531,"flow_dst_tot_l4_payload_len":26643,"midstream":0,"thread_ts_usec":1607938456569730,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":46412524.0,"flow_max":1485188627,"flow_stddev":258411808.0,"c_to_s_min":22,"c_to_s_avg":165021616.0,"c_to_s_max":1485188627,"c_to_s_stddev":466749536.0,"s_to_c_min":15,"s_to_c_avg":271.3,"s_to_c_max":2813,"s_to_c_stddev":604.5},"pktlen": {"c_to_s_min":115,"c_to_s_avg":454.3,"c_to_s_max":1502,"c_to_s_stddev":513.1,"s_to_c_min":117,"s_to_c_avg":1220.4,"s_to_c_max":1502,"s_to_c_stddev":491.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01550{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456569390,"flow_dst_last_pkt_time":1607938456569730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3531,"flow_dst_tot_l4_payload_len":26643,"midstream":0,"thread_ts_usec":1607938456569730,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":391.5,"flow_max":3446,"flow_stddev":792.0,"c_to_s_min":22,"c_to_s_avg":737.4,"c_to_s_max":3446,"c_to_s_stddev":1104.1,"s_to_c_min":15,"s_to_c_avg":271.3,"s_to_c_max":2813,"s_to_c_stddev":604.5},"pktlen": {"c_to_s_min":115,"c_to_s_avg":454.3,"c_to_s_max":1502,"c_to_s_stddev":513.1,"s_to_c_min":117,"s_to_c_avg":1220.4,"s_to_c_max":1502,"s_to_c_stddev":491.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01141{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":992,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":99,"flow_dst_packets_processed":893,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456578110,"flow_dst_last_pkt_time":1607938456578127,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":8598,"flow_dst_tot_l4_payload_len":1270620,"midstream":0,"thread_ts_usec":1607938456578127,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":992,"source":"quic-33.pcapng","alias":"nDPId-test","packets-captured":992,"packets-processed":992,"total-skipped-flows":0,"total-l4-payload-len":1279218,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1607938456578127} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quic-mvfst-22_decryption_error.pcap.out b/test/results/quic-mvfst-22_decryption_error.pcap.out index 1ba823d74..34b703439 100644 --- a/test/results/quic-mvfst-22_decryption_error.pcap.out +++ b/test/results/quic-mvfst-22_decryption_error.pcap.out @@ -5,7 +5,7 @@ 00897{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296832000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1593498296832000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","quic": {}}} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":106,"pkt_l4_len":86,"thread_ts_usec":1593498296833000,"pkt":"RQAAapbBAABAEXBACuYoqF5h4ZLy9AG7AFbkKub6zrABCEACR1YBz3h7AD4ztLOg+8\/NWUDesKp0sDyq9wl\/qnK\/iaP4qknLwsMfEkvd24lrwL0JnOo2eK80vHLhCKIp2AiTqDI94jB8\/Q=="} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":106,"pkt_l4_len":86,"thread_ts_usec":1593498296833000,"pkt":"RQAAapbBAABAEXBACuYoqF5h4ZLy9AG7AFbkKub6zrABCEACR1YBz3h7AD4ztLOg+8\/NWUDesKp0sDyq9wl\/qnK\/iaP4qknLwsMfEkvd24lrwL0JnOo2eK80vHLhCKIp2AiTqDI94jB8\/Q=="} -01388{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296836000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3572,"flow_dst_tot_l4_payload_len":18205,"midstream":0,"thread_ts_usec":1593498296836000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1000,"flow_avg":251377824.0,"flow_max":1005506288,"flow_stddev":435396288.0,"c_to_s_min":1000,"c_to_s_avg":502753632.0,"c_to_s_max":1005506288,"c_to_s_stddev":502752672.0,"s_to_c_min":1000,"s_to_c_avg":2000.0,"s_to_c_max":3000,"s_to_c_stddev":1000.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":385.2,"c_to_s_max":1260,"c_to_s_stddev":401.2,"s_to_c_min":66,"s_to_c_avg":855.5,"s_to_c_max":1280,"s_to_c_stddev":517.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296836000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3572,"flow_dst_tot_l4_payload_len":18205,"midstream":0,"thread_ts_usec":1593498296836000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1000,"flow_avg":1666.7,"flow_max":3000,"flow_stddev":942.8,"c_to_s_min":1000,"c_to_s_avg":1000.0,"c_to_s_max":1000,"c_to_s_stddev":0.0,"s_to_c_min":1000,"s_to_c_avg":2000.0,"s_to_c_max":3000,"s_to_c_stddev":1000.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":385.2,"c_to_s_max":1260,"c_to_s_stddev":401.2,"s_to_c_min":66,"s_to_c_avg":855.5,"s_to_c_max":1280,"s_to_c_stddev":517.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00938{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":353,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":43,"flow_dst_packets_processed":310,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498297033000,"flow_dst_last_pkt_time":1593498297036000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":11825,"flow_dst_tot_l4_payload_len":378781,"midstream":0,"thread_ts_usec":1593498297036000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00587{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":353,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","packets-captured":353,"packets-processed":353,"total-skipped-flows":0,"total-l4-payload-len":390606,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1593498297036000} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quic-v2-01.pcapng.out b/test/results/quic-v2-01.pcapng.out index fee249eaa..e9c73cb9d 100644 --- a/test/results/quic-v2-01.pcapng.out +++ b/test/results/quic-v2-01.pcapng.out @@ -5,7 +5,7 @@ 01472{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746209343,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1252,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1252,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1252,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643108746209343,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","quic": {"tls": {"version":"TLSv1.3","ja3":"c0ce40fbb78cbf86a14e6a38b26d6ede","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-34,hq-34,h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29,h3-30,hq-30,h3-28,hq-28,h3-27,hq-27,h3,hq-interop","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}}}} 02195{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746211563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":1643108746211563,"pkt":"CgAnAAAACAAnfrFjCABFAgUAAoAAAEARgVPAqDjGwKg4ARFbhbUE7O7hnXCaUMQIS6wx1HkzRzII64iRQkuUIpwAQJyCVjJNuDCrTNqXXWMPn6Re4L7SYVwqGIQCQc\/4z9NyAaPCA1EjtACuJoZLCrSNpYRSybpCuKQ+WoUiUllNx92L2MPAGJw7utYFPv5OGHw1\/\/sWndgkLy8hp7pR69\/u09rZKcS+JfFwJmuIf\/ksSjGDUumn50Ay2Rd6o4XXl0HmsmbBIvWvgU6hASVdT4jxaoclAPsXX8CPP0up6Fe0cJpQxAhLrDHUeTNHMgjriJFCS5QinEQVHufFpgZs2aV6du2ZRQqQKDOjoGilHODVeRgnXJ5P7T\/zsZp32p1pLUsBPppTZZgXUGe0MYPRpYRLZP6S2YwCHKWU+l73n0JGtHauiFtNycThrlHgcsb8sk5tcvU6Y6ScYjaBJZo4SvzfNpo4yZWfBNk2UYHfihFbXoBagL8Ni3TJrQD045tOl+1YfuvN63veyZsQEZqEx0dBAmyVl+9xjvqkhzopKh+NpWRz5BIklAlUFmpNduMfQ3T20hAf9mJ3AOigASJmi6bsOzfT+fmMLLJFCGGvf7Vtj5E1FZRVn4fPJh6AHDI4r32EO9lBeOo\/bRxKO\/xtuNE4dXyQrhgsAmgYHZAjkPqRu\/l7804XDa5V8jNWzrthKJ47r2cSNRYsG+fH2fUAebN4YB+rihSsIZxpHY2QnwFGSwB6H7Skxg+Iph02BLynk+Iu8t78JbQQo03RTVad7a1H2K5yGJBnwMaDh8uWKRogMWzILW0GAvr6cB6rKtZvIB6iaFRtpW21wxF6FMiWghHWS2MMSMwh35jVZuDUmDisttokt9hNGZX0VcNuKmWidzlE8BvnwG5U\/lPWrVnAvZVmrZTmpKOyI5TR7nxh84GrxxCAx17MsDCnck39parnwVt\/QNJg4GreMjaXUUPTYWQryOwbG6s95MTEr3kfYLs4mW1uf0zDrci29F2sFu\/C\/HmqkFvZ0OOGC+62wGqGORW\/vlf01u6eGRup6wAte8fwWPF\/vwQLZV4\/zxpFUgF0tAqfKM3PO4Haxa9nHsPVZrUGZMlLFWcB4nBKG1NdoHQpFnsMhBc+wza2JrPisqt5PiVyJC6OvV\/cU7ww3Rc1ZbzC4jloEENrow5U5qEqSaBP1zNwYznCuMne7LwjmE8EnIma1wUrAiD9QtQZyRcWI2tpjtba1QsGHPmDL5TsbCiu5lRo6fKqxLAw32vAkyC76P1133lt7HXruzSBRhmkFpsQbeMtEt1sNBll1ZQMowIuN84gLLCcft+MTcp3i74\/r8i865o44mVqYEl+o8X\/pbSdpT9L6gLAevV9TpMYpr+mcHT0ieagX7Jnn35uw6zjOtQWRDf+XCisrr1nKY1EVNzop8RK6vKaPR4oivRBODylVd6kbG0JUHAnr0Ix4f91IhN0iE9wN0staG0WUiyWtw\/orMSuxqBfKKdgnMAvmqdZTtqpjXi4aDVPEGseUXFoRd2eIp1NKtyrFMTN8zew2FQfUM5ZPV+mLZOckS47BcCaj33vmjmNhp4PqOibtw4GGIkqKdtzvIDU5hpFJQe3oYXwcGYY3eEEzdtrD2Vx0tDP6Yxy6KvVsm5\/mMYXMhGZoUA1zlKEtVTTbazFot35oVX4ngIUMjLuaLnu+ZQA\/SsjZCeWQrKvnx2aQ0fMdg=="} 01476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746211597,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":766,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":766,"pkt_l4_len":732,"thread_ts_usec":1643108746211597,"pkt":"CgAnAAAACAAnfrFjCABFAgLwAoEAAEARg2LAqDjGwKg4ARFbhbUC3F+UvXCaUMQIS6wx1HkzRzII64iRQkuUIpxBBHClZrSkXwcilginpQcYrC6+gYqStd9rEPJAVa\/X+ectxL4RSmYFqLCVrwpVh1cagxhOComdCEfuthVLRVGijz0VZq73gJfVJDTIt9AqzDxtaVsVpsxn9nkBr8pmVajuM19igvEhLOOlSEyBeUeB0DFdaZHW2\/JO3NISTHIWsZrZsFMVLd9gHsuxJ1cw3ZhmXfOm4UQbO0gsJiSVP1hEVffenYC7rMaAhCUYN9+RJxV5yNtMPMGyD3sgFiZTkHnxcTLuuCOpBBBkbts\/gMCM9IZChkDacnOh2OF9\/ohY3MEFlrim9kn0Lkww\/L7utDiRt6G4nl7rnCzjkcY3xLHSfS\/UQGApX0usMdR5M0cyG4HtNIk9Hu3yusEW1qJhexs\/jd2MFqPbzXoJkoBqBRJp9qv7uPIeaJrkQv0lZW4FoaNVZAxaKV+W4vwOyfLLLUAqbD+eP0q2akwmVXy9Y8QV3RpHIAEJdYstRBWUkoiGbfH\/tn+FdXpRyxXFod1a\/iZeqISyuYA2sKP1DJjEFrTzbkdHxX2JNiQQ2tZ+ApMfsQ0Q3QHD6f2C+xRLtvPcLqXP7RxXsRrD38p085fQ2lzG5FGYGgbhRGLwEvS2xYmIc5SWcIMn4zDkXXhhptIlqESYssWwykAjHZI2+hUtqOdrCizJkWiDODkpCMdaXGRR20dzaKQXdlriwcHLV5d1GvkCwMjcqS+C3ysNw8ltkxZbJAw3X1KjTK669DDz0zSittHV41nQk4SLHBtK3xCfytcsQ2Woqekdb3A1Hgo2e8QMTF4S4OsVjiekXWM847U9xQtRGGBIxOeuuzZN2uX3hL9UxceXknbMIBuTtD1iz9sd5bcqUQJpjX4\/iuJ0SwzD3dHw3Uy0h7w+q864l4fPWvhkeXfYvfcT+Icqi6TMXyciH2pSvVxaT4WJf32OcA=="} -01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746213653,"flow_dst_last_pkt_time":1643108746213782,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3681,"flow_dst_tot_l4_payload_len":28445,"midstream":0,"thread_ts_usec":1643108746213782,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":8989259.0,"flow_max":287647535,"flow_stddev":50048504.0,"c_to_s_min":15,"c_to_s_avg":31961316.0,"c_to_s_max":287647535,"c_to_s_stddev":90398728.0,"s_to_c_min":3,"s_to_c_avg":193.0,"s_to_c_max":2220,"s_to_c_stddev":460.4},"pktlen": {"c_to_s_min":97,"c_to_s_avg":451.0,"c_to_s_max":1482,"c_to_s_stddev":513.9,"s_to_c_min":97,"s_to_c_avg":1278.7,"s_to_c_max":1482,"s_to_c_stddev":439.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746213653,"flow_dst_last_pkt_time":1643108746213782,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3681,"flow_dst_tot_l4_payload_len":28445,"midstream":0,"thread_ts_usec":1643108746213782,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":282.2,"flow_max":2611,"flow_stddev":585.9,"c_to_s_min":15,"c_to_s_avg":538.8,"c_to_s_max":2611,"c_to_s_stddev":795.1,"s_to_c_min":3,"s_to_c_avg":193.0,"s_to_c_max":2220,"s_to_c_stddev":460.4},"pktlen": {"c_to_s_min":97,"c_to_s_avg":451.0,"c_to_s_max":1482,"c_to_s_stddev":513.9,"s_to_c_min":97,"s_to_c_avg":1278.7,"s_to_c_max":1482,"s_to_c_stddev":439.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01164{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":923,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":889,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746226518,"flow_dst_last_pkt_time":1643108746226632,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":5301,"flow_dst_tot_l4_payload_len":1267919,"midstream":0,"thread_ts_usec":1643108746226632,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":923,"source":"quic-v2-01.pcapng","alias":"nDPId-test","packets-captured":923,"packets-processed":923,"total-skipped-flows":0,"total-l4-payload-len":1273220,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1643108746226632} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quic.pcap.out b/test/results/quic.pcap.out index 32ac4171e..78baad8bf 100644 --- a/test/results/quic.pcap.out +++ b/test/results/quic.pcap.out @@ -5,7 +5,7 @@ 00953{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155536815947,"flow_dst_last_pkt_time":1431155536815947,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431155536815947,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"mail.google.com","quic": {"user_agent":"beta Chrome\/43.0.2357.45"}}} 01088{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1431155536861947,"flow_dst_last_pkt_time":1431155536815947,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":478,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":478,"pkt_l4_len":444,"thread_ts_usec":1431155536861947,"pkt":"ZHACjT05eJKcD6iOCABFAAHQHY9AAEARrNjAqAFt2DrUZeHpAbsBvNDyDbLeXfFPVUXrUTAyNAKdxuQD3gljSLhQUOfLRbUHNhGyhVA9b2u4w1RW9E4SCZCpycMJZccQCIwgTfygJ\/6u\/OxyXHQ8t9GsIUVpGN5BSEz\/EaopIjzG0oey+J14dhVaQT5clZ4hX2alMKUnKCpX2UHp8k4gIBE+BTaDbhx4sVltZ3YRbFd1slVBcwxCCDis9hGoXWyhcUU9TpSCvPXqyDIBYGsw8hGUNxjvWcC36dLiKPlQ1A++VHlkjzGxGsfgIrij15t0O6lgXxVbA\/HpW3G2ebAmsKraKCAnkkUtJl3AOI\/J2OljPOJ8ybsb8ihq0NT5yt7I6jw60az5CR6QV4lZS\/t+fQsKeKH0MrEQhH3b6f+BZUKI9uikSR4hfQxA8xYeMMFcn\/fjScjPTaUqPoQqgHKJPMZAaJaOIXR\/06t5\/mWN79wAQ5uIfj\/sSvnF2vA+Wg+Ct+7u2iMK\/1hOAY0\/EO0phnuWYuhnxN7rmjjYiKKpzjb+WYnzCHocgbS6q4u8VmchP8qd2Emms7CkStzYV\/CAUZKEnfSvajU\/RaVfjhz9giNrW3Dr5B1Mu7zIwMFBEg=="} 02320{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1431155536861947,"flow_dst_last_pkt_time":1431155536876004,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1431155536876004,"pkt":"eJKcD6iOZHACjT05CABFAAVi+w8AADYRFcbYOtRlwKgBbQG74ekFTrySAAED7yXOnwe7pFDDfekcKJR3Jy2sqO+OrEMBkrmlA5460PLSsQWLxQP3oiY5d8U9vyThqGCVEM5n\/b30dAd2DjWMikTcCyMma2f07JhYHF3MMGVgNWOe6MGYINMPJ609w8TfRzFDXO2Hv3Rd+Io3\/xrzZn4oPs6zhHI1yq2C3Bu04kRZDHQePoRj30\/8HvjxNKB4JiKyE+zKdMREBQ3JOi\/Z6sOIMbX9akogkYpnl7ng6wuSDWdU0O6S17QqQ\/PZNbWcKj10ybS4iwVQA0f8amB7S9uZIaouXNiBUNnVoBkvwUNJHLfYTkO7Lcrh9\/y6VuU0sUqC5BwPmW+2ikCeMngUD1xHT1Lx5xcuKKpYgNXg5fiz8miFT9HCjdjO6B4AMX2tdmMxafKWE\/OE83wkxbiDjermaqDLFN43iZrsa77dngVKSa0JOoliFCpsBQc+8MPNJciywBt2F7RgKowH2h+9Qk9ORQtDAbuXMpSiJJWSUWGURbG9ZouMcFzy3aCPhH9WEaiDxSqv5bG1C+4++Ap3JmLZGydHT1SxVwfUUCxHryOH1SJLcVb8wYjogx1ZyV2hUKKGb\/LTkrzKQgQmaow0b30+zmXo8EqAqNi+pbkwMCjRuhbpSGWkDycL5nwxuP9Ml3fkw+Nua2MwUp0EfcBQbRU9wNgqxQ9uJseySfgLNd277XFk6kBsEbZHLkwoqVC16i6UXqO9Bq9Qa6OSE4HmTd0ZK\/TJwTkvyZH7HArDOO\/IcXlmUhCYygfBL2Q5ZpNExxrN9hs9fyUTlDAy\/fKVbi1DmTvb8UQ08IKIHR88Yq94i78i11E4Ck+d\/mt1HMNvsgPj2pD+djmLPe2eSTH37Jk2vmFRiqCOpbpsl49D\/VP3D6Iqy69k4ASDn2RRISJtJTG3B4eSG0UcIyl51iCsWhHCXqo+IYYFVP5DZZddk8U1w9uBnJXeOg1TXZTOMI0ol6bS146IgKA69vbLEVfalKBSuGdHvDKyOMSnLak5kQ2gF6fQS9y3naenu5fopH54EXjO3jjfmTVJmGvZC\/P1NiZtWEgaqDhB2DugL5t17Tc3VwmJfqg+3eAVYWabEKtkMdIl3iArLACUUBNCZz1HkomKYV+WYy79+d13Y8v1fzFaFyLLqqM4eyurBPDRG\/+y1oiSpL+pmxwnbgxI3utzVErOYH+5lhn82g\/+Ii+SkdpS0RH4VCbqV\/v0Y4Y5Od4xYJhouL7GcBe5gBVDLL2wvDGN\/2TxDwPjLE+A3+O2Fa4G5F\/+gjnrsB0wdiL\/ilvOHsRXVpnfbw+QbFdGjFQzBh00mHjlv+hyldAVX6DRrmAyZqfHl4R8DYS3AwjxssPWDwDtSUMlQQpikBERZ9MMlFb4xTKRR\/wBi8a8Irtzx\/kIza\/1v2NJPtS13JBH+AEVAHqIKkeVWhalz8eieG0tc75G2spbagtiyakNL\/rq+i0PePLukIW0MDDsvi7O7dn\/0fwGspoErTl6j3PKwj7+sTyyEqAVRQx1M7OB+kmMDRumZ6Ct9DotkVa72qOqLha\/8xxMPobKOFlHa3535yRdBIpdRmga9bEYopLGGzkYHAzAiGpiXAo7oYF9gbpS7a5ciOCtFbOspMqjc6us7YE1Fk9eZR8mOK3nE7WlV4miQCj5Ye\/jSzjCwJgC1JXYSzigmV7HoFUEa9032KRB3TfddhJ9qY+MTGbbTrJ2h+zE2tLE+GlMJ43i68EjkXl4FQgRWpuP1j6L9IzE9WrKG1pRl60aGD77YrqqhZeBKTB3VaLzjU5uW3RnvxwpEMU20qKXXlS1"} -01375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155545866860,"flow_dst_last_pkt_time":1431155545859249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4333,"flow_dst_tot_l4_payload_len":4661,"midstream":0,"thread_ts_usec":1431155545866860,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":116637688.0,"flow_max":3714311739,"flow_stddev":646161984.0,"c_to_s_min":14787,"c_to_s_avg":232710160.0,"c_to_s_max":3714311739,"c_to_s_stddev":898946112.0,"s_to_c_min":7,"s_to_c_avg":565206.4,"s_to_c_max":3197585,"s_to_c_stddev":975352.9},"pktlen": {"c_to_s_min":79,"c_to_s_avg":312.8,"c_to_s_max":1392,"c_to_s_stddev":392.5,"s_to_c_min":61,"s_to_c_avg":333.3,"s_to_c_max":1392,"s_to_c_stddev":372.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155545866860,"flow_dst_last_pkt_time":1431155545859249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4333,"flow_dst_tot_l4_payload_len":4661,"midstream":0,"thread_ts_usec":1431155545866860,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":583684.4,"flow_max":3197585,"flow_stddev":963931.8,"c_to_s_min":14787,"c_to_s_avg":603394.2,"c_to_s_max":3119141,"c_to_s_stddev":951202.9,"s_to_c_min":7,"s_to_c_avg":565206.4,"s_to_c_max":3197585,"s_to_c_stddev":975352.9},"pktlen": {"c_to_s_min":79,"c_to_s_avg":312.8,"c_to_s_max":1392,"c_to_s_stddev":392.5,"s_to_c_min":61,"s_to_c_avg":333.3,"s_to_c_max":1392,"s_to_c_stddev":372.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00558{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","packets-captured":414,"packets-processed":413,"total-skipped-flows":0,"total-l4-payload-len":237528,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1461850699450756} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1461850699450756,"flow_src_last_pkt_time":1461850699450756,"flow_dst_last_pkt_time":1461850699450756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1461850699450756,"l3_proto":"ip4","src_ip":"10.0.0.4","dst_ip":"10.0.0.3","src_port":40134,"dst_port":6121,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02297{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1461850699450756,"flow_dst_last_pkt_time":1461850699450756,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1461850699450756,"pkt":"OGO7P47K7LHXhMJyCABFAAViImxAAEAR\/xgKAAAECgAAA5zGF+kFThlmCfresOVX5pKgUTAzMwHak8zsp30I9q698IIAoAEUBUNITE8NAAAAUEFEAEwEAABWRVIAUAQAAENDUwBgBAAATVNQQ2QEAABQRE1EaAQAAElDU0xsBAAAQ1RJTXQEAABOT05QlAQAAFNDTFOYBAAAQ1NDVJgEAABDT1BUnAQAAENGQ1egBAAAU0ZDV6QEAAAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLVEwMzN7Junn5Fxx\/wHogWCSkhroZAAAAFg1MDlYAgAASxIiVwAAAADS+1vXZRZzJ1+rqmPJtznpSW1g7BCg2rfC01sXLNMkHQEAAABGSVhEAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} @@ -54,7 +54,7 @@ 00960{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075953299562,"flow_dst_last_pkt_time":1463075953299562,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463075953299562,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","quic": {"user_agent":"Chrome\/50.0.2661.102 Linux x86_64"}}} 00960{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":451,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1463075953300127,"flow_dst_last_pkt_time":1463075953299562,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":387,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":387,"pkt_l4_len":353,"thread_ts_usec":1463075953300127,"pkt":"6HTmLPTkABlmWmaMCABFAAF1aTxAAEARYx3AqAFt2DrSzomkAbsBYbFkDby767UFbXetUTAzMAIyT2zFCwKRbjpW5pKGcwa\/zOYtI4ibM\/DXTo+3hM8QHjQop2VE57N\/4px1Dr2rh1Of6fuprsXKXOLDTQHDMOztLE0ibzNUs5cviwMINA8HUKs1w\/8wSCAJg+c5E0s64vzHKdQ5N4AY1I+whZj+YXv7QX9bQtyBCP0WJRsK41puLJyY\/5rYf1WXDzsnCxRRei33WDvMsb+MNKppe2kXK4Q1DqzsKviobjh+ZnTmMaJFKxfjljXwNv0dsW2Nhjh9NEpVNdRUHHe+L\/umz5nJPSc8m3xsZrs27PfAfYs3O4DQT7zrN+rUD1tvAlM6ojpuYBXQUKIqFg6jkPkLtz0lnT5ofUC3bxq1J8gFqtExK3aj\/kH0as9Y1tYZiRMdgBmqLNq1Ru6unJsdETbKAQha1+Pgo4qtxiVVhohC7TEjAQj3UwwRrwKowX6bUvpY"} 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":452,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1463075953300127,"flow_dst_last_pkt_time":1463075953334920,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1463075953334920,"pkt":"ABlmWmaM6HTmLPTkCABFAAViGxkAADQR+VPYOtLOwKgBbQG7iaQFTgWwDLy767UFbXetARhGCjp5JYP2NRSCDQGAAVJFSgAHAAAAU1RLADwAAABTTk8AdAAAAFBST0a7AAAAU0NGR04BAABSUkVKUgEAAENTQ1RGAgAAQ1JU\/xIGAAAt19AYB5aaMKurHRM81LpDG06F1\/HgjIAXnLSYHoaRDG+YCx4gYrs3k43pE\/W5utsyegd0CLIV4fasqoZkRpVLMtnpS+sIRqrbfvgjIL2IUeZTlSGu\/7+bU4Z+Ij1vgEEcToZ\/00OYAYgC+05liNl+ov97hTBFAiBs6kS1HuLjC8x7gQEfBCOAowmjvDZU885lgtcWaGEy0QIhAPm+1mJq5QK6WHRPaEUwOfyND\/8ufeGnt66391Aj9lqnU0NGRwcAAABBRUFECAAAAFNDSUQYAAAAUERNRBwAAABQVUJTPwAAAEtFWFNDAAAAT0JJVEsAAABFWFBZUwAAAEFFU0dDQzIwWGClOjtYNIHfmiHJ0bGFX0NISUQgAACup8alaVf8gP6KOzle5pjmXvoOKgb+N2LRgB5dcX8Ka0MyNTUSxc3dEjis6kATN1cAAAAADQAAAADyAHcA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo\/csAAAFUe1HMJwAABAMASDBGAiEAqHfzHEY9KN1QjXeaiZlcHt6ybhyDsnLIoo6e82Zg73ACIQCveMl0OwuTrVY5LqDcb5TIihLD6ZAJQlUDU68E5\/BK6AB3AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABVHtRyfMAAAQDAEgwRgIhAMWc6riI2T4lmoQuPyvTrFTQuoCnh6VaWJBNwHgCZloKAiEAiHJhhSnJcrUXaDEZQLClSBLKToA3CEOVFu+IPvrOhh4BAwHogWCSkhroAwAAAAN7Junn5Fxx\/wAAAAAA\/wYAAHi7c1AtxPvNxgAsudi+GzSx3oe04Tic2NatWf922kf0hhwVG1mgwsAMmIdMgPkF1p4zMDcyN7AwtgR1otKwWsXBw+UMTDdp+UV5mYmwBMnOw+ubX5pXAkpdYZmp5XB38SC7S9RAGOwuHh4tYJiChMGRGwkUZgf68ZwtsPnBAWYwM7IzOzGwvF91fdMNT2Ud1a7MlSledVlybaZOW\/IT25eYrq8qUp7OLmq33YHB9tcRfpb4rOn2rfYyM5bOl9xpdepuGi\/LiYsHpi9uYuk3aGLpJlSANTGD+wiCLE3MrkCOYxOKA5t4tfQS81KK8jPBDZ4mMSC3oCA1Lz0zLxVZmZCWXnJOfmkKspgYzCDdxLzEnMqSzORisDg3woJEZE5OEx+S1XqZeaj8rAJUfml2Ez+yU\/USi9AFStEEktBVJOejCeRWoAmUoGspy0Nyc0oqEie1GImTVoTEyShF4mSWIHHycpA4BSicElCgQjiJKcAiABJ4cMdARPKaRGACQNncVGCLAqxMECZalpmSmg8WAsVrcQmwYEwGaeNF4gEluYDcshJDJLYRmA00PTe1pAioClk10Chg2yUjE1xANQmAeDloMV+ZX1pSmpSqm5efnJ+fnQlPTFBxNGWpKaWQKhyWQICpJTcdzJGCJ7+czNS8kmJke7iRkyYLSH0TG1Aa2MZpEsGa9LiQkyyWYONC8hYXuGiGmMYBdqdeEjC6kT0ggs35SA0q9gaDDKRiOQZYsGgjFbjy0DKwIDsTyVf67p6O7kbgElUbqQyHKYYGgyGyDlC5jtTI273NV8E2Yd+C1ye2dnFOb2eeVW6ug9bQQS6rsfaMFCEtB2DVhdYd4WBjS2\/kARbTBgaQ"} -01371{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075954259331,"flow_dst_last_pkt_time":1463075954259852,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3706,"flow_dst_tot_l4_payload_len":22849,"midstream":0,"thread_ts_usec":1463075954259852,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":65310596.0,"flow_max":2088018955,"flow_stddev":363289184.0,"c_to_s_min":132,"c_to_s_avg":174081552.0,"c_to_s_max":2088018955,"c_to_s_stddev":577073920.0,"s_to_c_min":11,"s_to_c_avg":48014.5,"s_to_c_max":828641,"s_to_c_stddev":179627.2},"pktlen": {"c_to_s_min":79,"c_to_s_avg":350.8,"c_to_s_max":1392,"c_to_s_stddev":478.6,"s_to_c_min":75,"s_to_c_avg":1184.4,"s_to_c_max":1392,"s_to_c_stddev":467.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075954259331,"flow_dst_last_pkt_time":1463075954259852,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3706,"flow_dst_tot_l4_payload_len":22849,"midstream":0,"thread_ts_usec":1463075954259852,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":61937.4,"flow_max":828641,"flow_stddev":198595.2,"c_to_s_min":132,"c_to_s_avg":87251.7,"c_to_s_max":803246,"c_to_s_stddev":226915.7,"s_to_c_min":11,"s_to_c_avg":48014.5,"s_to_c_max":828641,"s_to_c_stddev":179627.2},"pktlen": {"c_to_s_min":79,"c_to_s_avg":350.8,"c_to_s_max":1392,"c_to_s_stddev":478.6,"s_to_c_min":75,"s_to_c_avg":1184.4,"s_to_c_max":1392,"s_to_c_stddev":467.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00917{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1463060980356958,"flow_src_last_pkt_time":1463060980457563,"flow_dst_last_pkt_time":1463060980449085,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":2740,"flow_dst_tot_l4_payload_len":2737,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00868{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1463060980313862,"flow_src_last_pkt_time":1463060980404996,"flow_dst_last_pkt_time":1463060980377579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":81,"flow_src_tot_l4_payload_len":157,"flow_dst_tot_l4_payload_len":81,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Google","proto_id":"126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00758{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1463060980313862,"flow_src_last_pkt_time":1463060980404996,"flow_dst_last_pkt_time":1463060980377579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":81,"flow_src_tot_l4_payload_len":157,"flow_dst_tot_l4_payload_len":81,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/quic046.pcap.out b/test/results/quic046.pcap.out index 51c0509bf..1c0a550cc 100644 --- a/test/results/quic046.pcap.out +++ b/test/results/quic046.pcap.out @@ -5,7 +5,7 @@ 00969{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191933380,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1584456191933380,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","quic": {"user_agent":"Chrome\/80.0.3987.132 Windows NT 6.3; Win64; x64"}}} 01213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1584456191934367,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":574,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":574,"pkt_l4_len":540,"thread_ts_usec":1584456191934367,"pkt":"ILABHGh4AJqdnpsZCABFAAIwVxBAAIAROIfAqAHs2DrOVsWbAbsCHCGo01EwNDZQtKT59fQu3TkAAAAChrDGo43cDq7OAgdbv23GehH0jM01fB5SqCBHGsm4tNDoSAuylkVeyVU1nO51BVLZDdQpzNO9j8lf2o\/kFvxF1keBb1V8bWQbm4GDCTzD9DJbwk6JCzbiEHbQt2\/y4DufAauHa+qhpg6F7I1VBRA5chHzaHSfbKq18eEDQ2D7fby9uiPXDB6cfTGjCACXfFYXGo9zhyaFNtzZv4x3bPv04LGnwloRH845hLIF6d5Y+oKP0inx4RVaOxEjSkSubSvYLun8u1+DAfAvr3DdmGZRAp60H0VhNkgFDR0TK1bvdtwD\/6cndHRtyUINoQIRApDi1wb1MmCAOOvL7steTPHXY5nIkaq4iXTy+WyGwwX1EiuR+wqkWZoB8nUqj3ZqApzNfexl+c7aCawPzdHT3P5zDq7dSyz1wAkXCTveL49FopZWy\/uuB+P5RJbaGpw3CvzBYR4o98uBght36oYbWpopqUw9u0okr+r3kEm4Q75LZzqLS97VgZsNPml00CwyHuDEnhiPWf19O4H99TJdYurnXZ+SQi1Zt2RI1GgBrEOAj7V7V\/6W2VgqcYkPqL1UO6lW\/zp\/K8LZMma1gVsHh4jJ1oXnE7Qjtqi9Um0bkNgFqZBX1s4cYf2FTDL0Lgyu2DOK3ATmX6nv91Qh9\/msYcWCN59XOhhsFRlmXSuc2N2TzOTtWg=="} 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1584456191934926,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":128,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":128,"pkt_l4_len":94,"thread_ts_usec":1584456191934926,"pkt":"ILABHGh4AJqdnpsZCABFAAByVxFAAIAROkTAqAHs2DrOVsWbAbsAXuOl01EwNDZQtKT59fQu3TkAAAADQ7oFqOGvWa6mhIUAfFpbpAofPEreEA\/GGklYOasxEedYwPIHZE9zXMBgbnX+9bPuSN5MQzRW31QsSe2iJHxiKYqGbP8="} -01371{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191967570,"flow_dst_last_pkt_time":1584456191967633,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4485,"flow_dst_tot_l4_payload_len":23197,"midstream":0,"thread_ts_usec":1584456191967633,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":176,"flow_avg":128181296.0,"flow_max":4101733044,"flow_stddev":713670976.0,"c_to_s_min":557,"c_to_s_avg":315520544.0,"c_to_s_max":4101733044,"c_to_s_stddev":1092985344.0,"s_to_c_min":176,"s_to_c_avg":1802.8,"s_to_c_max":29469,"s_to_c_stddev":6521.4},"pktlen": {"c_to_s_min":70,"c_to_s_avg":387.0,"c_to_s_max":1392,"c_to_s_stddev":444.3,"s_to_c_min":62,"s_to_c_avg":1262.9,"s_to_c_max":1392,"s_to_c_stddev":377.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191967570,"flow_dst_last_pkt_time":1584456191967633,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4485,"flow_dst_tot_l4_payload_len":23197,"midstream":0,"thread_ts_usec":1584456191967633,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":176,"flow_avg":2207.8,"flow_max":29469,"flow_stddev":6263.4,"c_to_s_min":557,"c_to_s_avg":2849.2,"c_to_s_max":21225,"c_to_s_stddev":5773.7,"s_to_c_min":176,"s_to_c_avg":1802.8,"s_to_c_max":29469,"s_to_c_stddev":6521.4},"pktlen": {"c_to_s_min":70,"c_to_s_avg":387.0,"c_to_s_max":1392,"c_to_s_stddev":444.3,"s_to_c_min":62,"s_to_c_avg":1262.9,"s_to_c_max":1392,"s_to_c_stddev":377.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00918{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":63,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191984839,"flow_dst_last_pkt_time":1584456191986142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":5170,"flow_dst_tot_l4_payload_len":81927,"midstream":0,"thread_ts_usec":1584456191986142,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"quic046.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":87097,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1584456191986142} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quic_q39.pcap.out b/test/results/quic_q39.pcap.out index 4625e1086..82565af19 100644 --- a/test/results/quic_q39.pcap.out +++ b/test/results/quic_q39.pcap.out @@ -5,7 +5,7 @@ 00972{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509098995610775,"flow_dst_last_pkt_time":1509098995610775,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1509098995610775,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"s.youtube.com","quic": {"user_agent":"com.google.android.youtube Cronet\/63.0.3223.7"}}} 02038{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1509098995619706,"flow_dst_last_pkt_time":1509098995610775,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1174,"pkt_l4_len":1140,"thread_ts_usec":1509098995619706,"pkt":"AAAAPJ7rSEb7OSWDCABFAASIpypAAD8RBxGq2BDRFZ2345bcAbsEdFQcDeca1dd1bE1NUTAzOQJfXHZ4r4NHY5hNEdjLP+5ayCAfN4aRrJwcGbvr9Ig30\/shURCI87o6EE5x2r0qaxNPy9ijcArYvwm83T\/uUNOwvPrQL1kQ63P7NcdMjvNaDrlFf0DGfuOc7NBPTTXBkaePu98lEtAf3wsOApXg5IhtfmWdfKrgEpCXWFWsxttw6C4\/lCwJqkUGaOjHW5OhnY9r8qCDBdkX4XN\/4WmFW6nWq\/XYAKSy+w3zKPd0+LJKlxsYwrzgGV2rjQwmb93iv1FFvCzNy4lqNoUoMblenytDJV5TJvGYH4s+\/7AX7HDhbJj+lIeaRA3g7dV3H3kgoU\/SpbsdOzy0YVY6Bp9yZermraiyHURn7bAotygD2Vp7YwNcdNEG9BU3funEay5GDjyBK1j66ZDJgNXirLZjzse1+VcJnT0WzMubicwvU30jDw+McSt9Bti6\/gP9FAz9\/lD31IeL8vackSc4lx75mviO5HS6BA\/NqsjQ9B8m4Ji2diYR80xUpIbgdFQiU+oifhm6+LGlaffXf5zfdWBFidIfld\/b7JT3SCK0xn1oi2TKxI8Oroqc4ijms7JGelhl0fef2CpmP0WCIT2YgyU6YwvWa1W7lII+N1ZbTeUAByGqF1QhTf5cSKd79GJRi+dbNY7B3Wj4KJv9v8GAF7TKwPiEZdDEpbOPHL\/FjvVpM04y5hU8HR+06oyFgTK1\/6hdbKNXNH9cJjr2nmUmezntPWc2AFfXM+e\/7E1fv7zcT4Kq1YOLXr9\/RjJvDNQoj81czTWLgfREm6KUrj\/r6fSbFJFnhuScfBlR9k2Pc7b3lIEZb0KXGhxHCyB1J7D8gUoqDhJYFGV+VkGVNhJpozvYPJ8ykH\/Y41HD8nsSDL9iDj9URAxCKHefDlX7Pwz6OhBfkcIZAyY3zG\/w9rr4x0Pl7U6qcsdZ1MBpDJ9qjugA+Tt8C4JpvLxNAR0kx92LyFnt3BYr58WDPwTbktI01oxzKDO5QfY46azjmnqJ+Or2LI93bDxwCMYKsLGAmehhGKZad4Iy8CQig4MBQDG0NMhHKAI6+BaplljmUnDnEalyg57\/03tWWLR4CQIYoKQ9N\/\/fDmFtkFJjraB0A767qxG7Cy8Linc3qzCa86538v6kM371bSCg\/XlL+EWzVEgq8MNOp+Kf2xPBIqWXFiVMGJ1GcpQwm6iQItRpY+85J5+RUK5X+3OW5ex3EYIjJUr+g2x3sFkDiuAsaRHgrjj6WnNpOZnghw1uaYp+E3H8VPrRSwSKqch7lieJx+ojtBtD\/W9etVSxGJeGD7lz+4wIhuht4d\/jcmgefkRDKcrraaR9azCKs\/kbJ\/PpVxbRsVvTZyAXgG+ABf\/0Dt+UshFkLro\/tuKww4FrErwElInQ+88Azyk3w8tcu1AYrDqSPj2BvjSRVwl0PO7TtbVWqgcuYET3exljbs22Rr5eyEoiPXhNZMDC79zLn441b43FrUKvwSHTJR\/j33VYKbaP4oVCvb26Vw=="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1509098995619706,"flow_dst_last_pkt_time":1509098995647453,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1509098995647453,"pkt":"AAAAPJ7rSEb7OSWDCABFAAA\/AABAADgRuYQVnbfjqtgQ0QG7ltwAKyQ\/COca1dd1bE1NATKbKH1UbNEn\/TIU5EABJEsBAQAAAAANBgA="} -01375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099004752497,"flow_dst_last_pkt_time":1509099004382425,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":14377,"flow_dst_tot_l4_payload_len":2074,"midstream":0,"thread_ts_usec":1509099004752497,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":66391628.0,"flow_max":2106618759,"flow_stddev":366438720.0,"c_to_s_min":1367,"c_to_s_avg":132235032.0,"c_to_s_max":2106618759,"c_to_s_stddev":509785792.0,"s_to_c_min":7,"s_to_c_avg":548228.1,"s_to_c_max":6514643,"s_to_c_stddev":1553150.4},"pktlen": {"c_to_s_min":83,"c_to_s_avg":940.6,"c_to_s_max":1392,"c_to_s_stddev":575.5,"s_to_c_min":60,"s_to_c_avg":171.9,"s_to_c_max":1392,"s_to_c_stddev":320.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099004752497,"flow_dst_last_pkt_time":1509099004382425,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":14377,"flow_dst_tot_l4_payload_len":2074,"midstream":0,"thread_ts_usec":1509099004752497,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":577850.7,"flow_max":6514643,"flow_stddev":1531988.4,"c_to_s_min":1367,"c_to_s_avg":609448.1,"c_to_s_max":6185342,"c_to_s_stddev":1508447.4,"s_to_c_min":7,"s_to_c_avg":548228.1,"s_to_c_max":6514643,"s_to_c_stddev":1553150.4},"pktlen": {"c_to_s_min":83,"c_to_s_avg":940.6,"c_to_s_max":1392,"c_to_s_stddev":575.5,"s_to_c_min":60,"s_to_c_avg":171.9,"s_to_c_max":1392,"s_to_c_stddev":320.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00920{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":33,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099044522763,"flow_dst_last_pkt_time":1509099044559423,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18965,"flow_dst_tot_l4_payload_len":2686,"midstream":0,"thread_ts_usec":1509099044559423,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":60,"source":"quic_q39.pcap","alias":"nDPId-test","packets-captured":60,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":21651,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1509099044559423} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quic_t51.pcap.out b/test/results/quic_t51.pcap.out index 3fbd8d6c8..f680e234c 100644 --- a/test/results/quic_t51.pcap.out +++ b/test/results/quic_t51.pcap.out @@ -5,7 +5,7 @@ 01167{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620434413428,"flow_dst_last_pkt_time":1598620434413428,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1598620434413428,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","quic": {"user_agent":"dev Chrome\/86.0.4240.9 Windows NT 6.1; Win64; x64","tls": {"version":"TLSv1.3","ja3":"92e76078d514999cd950474995dab2b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-T051","tls_supported_versions":"TLSv1.3"}}}} 02325{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1598620434413428,"flow_dst_last_pkt_time":1598620434419300,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1598620434419300,"pkt":"AAAAAAAAAAIA\/tPQCABFAAViAABAADcRkr3T95Nau+OImAG72DwFTvx1wFQwNTEACP+UFbWwBYYNAEU0cA7ob5DRu6SNsqDMEz7qri8UnfijZV8Hhw\/oxky0x+Zt0s6erWm7kWn2+1owrYTdI9p89OpW\/6ptpwv9v0J5BjJyyLuuQ7qMgzGXDs2ur++juUsUpOdkAs5K5BYVfQAmPmXEGyVgmyCeUg1T7Vj6FslmnDV909IngQqr2X3bAL3as4fB8O0bAq64I2nnjXRSsXtOF+WecFDOIkhsUozc+8M2nJh6kczAN6BO7Q6B24T4pTF7f\/SWotAh0wmioZGWvmsK3tbjrCGONmSc7G6EA+eCMtEUY\/yq8VyKOSmIHald\/L7JGCPyNYCQuoSWiWNaW\/I+iZ2Tm83YJ0ULZZc8urwFDYH3aj1AkglwflqENARW1+\/0Wgf8CdNT18FiabAis+X7vPL\/K0rfVmIy72rlRNRfOG7y7nzx1KwQOQc8aCVF3CWYU+Lmd10cKRMsTRDen+t7CfJT6D6czKmRS9zHy8defw2VL+sr4ea6knMol1lydS5om9MxXCYpqegXuWZiFTSbzJvhE4RaqOqWqlC3CyDO4ySp0wcYRr6Xiz\/ypHsBLBgujZNocUdxB92srmLhWvU+EKXNqnvn4sN9tP\/B4VI81UNJfpKqafd5TbC3xVerPG2FpOE4rg1k2rQi9r6v1+PQ\/d3R0LlFcbJ1hI9fgnNKZUfeIejFNzw84ZCPAGKEZF9DRij\/q7+ynKTHsKprl5SyrzqmDatgR6jPni4YdUIipVxz2xAMDSfgGHJudxWet0g70XvUgRUnZwnINCVHKug\/Cwaar4s1XCM8uhzoEef40bHIf\/1cPPikcn5BGvUj0yq5vKOgKlUAn1Pgd3RmxD4udRVK4hr3Qq2qz0yzGHjPkF5V31PdO+LbljCDil0atM9nNzYRQDTxXIy4ROBhbRF0GC5xxy\/5G1Z3EVEXnUgV7cKAoSoRYsJk+ehBddHi\/2\/aZLTP9GUgaj03e1ZAUqg\/pLbgzkOggtkBYwlEystem00J3RiW59azSXPWDzpQD37GvUqWpvchJjuAPROhp0eQOeyP6Sm5m8Ha1f9MDT\/mDWqN\/iBuFORPOJebKiYDmtBTotFqfXW1txgynw6EHUJzSE+pl4MdTTWGiKeLLjK6VcgkjK3QCvZi2YAV34jHwjHZGw2P\/U6KrMCfYoKLgcta7eGwEJgt1TEOATVA86YdSNrUK8Cm6qplxo7u2vCTdHfHERZHXlWiV5V+M6yg8jJ+w71hYe+9QRnWDWxxhFwqS3Rom5NgfL3qyZPAg7B0TvVcGC3k1t2hVxdIBJT1YLB9P8xcq205KojLAkrnJ6A03YtC2cE+\/GfTI6rrSdcn22uQHH1uwQgPFlvo5F8SRGnmtqbBCoQkhDA10opFpEUHAKVRysF1xT\/NgfiMQHD+An4IrPRfuv9gDg0rUkwJww22wh5gLlRkZ\/Syy5BClTzH9Eje2q1QlkG4NyNIdxlgTeTWfrV+owYm4Q+FXDFSqiziTTjYt929oBaNekN7DaLZNKBHzE9aRpnZjKaGJOIkilbSRnfMsOP+KhOdyxkYqJB7lgyVuE7zA+Cs6QfiNfeFBdysqGJcMLaCJe1XQZYseYZCHv9I1fYRd7rHJDJ5TLxG9ZoKBvyy9qAFruCnQdJM3kRJUF0ZdxtTsL1YtSrJYqn3hcGRfsN64Wu2ioNCdgwzJ\/IOr225URP0O\/yfvAjNTo393KgekGIplrSAr2vqB7j6oyQmlBJgPRuYDzTKmIMBKNHRY+Gk4U31TV\/ldcN5g5htDYX20DA3i7tEfKzfbUYY"} 02326{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1598620434482713,"flow_dst_last_pkt_time":1598620434419300,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1598620434482713,"pkt":"AAAAAAAAAAgAH83gCABFAAViXl9AAH8R7F2744iY0\/eTWtg8AbsFTtamzVQwNTEI\/5QVtbAFhg0AAEU0KsIg8w2st8fMy25uq6gsPA7KRO4wWARaQxn0e+nvMAG\/ncVOK2\/1iV8zM1GT+gj2yfRnYitTLViCwPF0TV0R7p64xnLqwrHTiNaW89JgMAHQze00LP7FiTbOvqpo5S+7AzCO4J36LH8gasnIPNye5ytyGP9hxarM0Gwv6wB1BKIgh6Hfi9vN\/Jaq\/hKaWtnsFyqFx21T1U0YmQzCOhcYGHZNHNGEmxqlfOiET0cy7A2zooythTNQBScefWz4fyugA0KO5z5EPbOCuLPnOhJ8u0jAA5snZ9Av4lfTCNurCTo\/b96gqEMXFCAN6kklskS6mSW1P2yxo93FRN9w3VFPyMe8m7WnAxPUMrijM3bZFrpYXz6N3LoSvj\/7t1mbaz3Ew6W7CCET2\/vUPuty0yYuKN9hlZRGZDAOI7p7UV84zBa3MKUoIB90BBwtqXlv\/AcyfRFhSrAf1TPDIen8IRojBr5qTqwwDIcvMREVIsmeXYDDAIh87njz+3l6UiC0r72z0Vz8KlwPmvyd1tNbK4UoVu5yliqV7BzHAT0P+flRjAVL+Vtw\/1eTO0KLmizThDqycqyAF1MjS6cC4BRlgBDuBvC7oqizuHTk4JOICP+TLa71t9U0MO4SvptmKRFy9UA159ziHHDRbAhIzzVEm+HGxTjT93PUzlkT4beWAgYYW5swcH8m2E+qX\/jfh4l+RAJ7s1FC99eqQD\/G2qHKz49sTvtw3eknSSHiADw1dFNDiGytHeAJqgKsYZ6xbxYgMT8vQQJWpcCaoPnc1R\/36QBSKDfO0Ei6I0Nk2Twp2jW7ybYg3WV9zcO8mcO+t2rUANioNNaghKiQ6\/\/kCvnfaOZl9\/nMaaP8oRI80YNnM3bBLePCUoIodPlfRsS+qRORwVaYVbmTkVd+7OOE68KIf+CtQJzWPG1I9szX6EUokwcVW4JeKB3DLXSgUJqbrCp8nB5Gt1Xl+DVmAWNn0zlmAkUkIYwVaRlUBt12nmZM5GfCFjeNYwyxKhMtco0zqNoFh6GPimEo\/HJoIaculB01PGh4MlKE33m6lcbQnV2mcjQy9+X6G7gJAvssvNVim+h2CyUIa0AFnvBEp0BZ0LQBw4xxW1+LO+851oEKlpBHf2CaPTJQbQ3lYLcFUbbZ7WxtncvtHzy\/SI9UgKeWcagnCcsYLbPsnPnloEl6cnUj6vnGVoFZ0zI4TVPk88\/biBoFXX37AYSAsISWoXJh5fdyK7Ub3uTshAtqeqBBTUeUFjb5Aj4cdCLyefeqdX7eVX7iolZTDjMHw6WHcQg9j8QT5ZehE6eQ3EWBv\/dyJkxi+P\/\/5RRqzAOol5xZb6h4LuhsvzWHQihAaP9MzFNZJKsrSoe\/spLPEQi09YKZ53xMfFjPTNozP7awNtIb6QltDJNIByFfslEQklWBp3nSDDraHwFBspLwhrXO\/4KJq80I0e6UvL2AGkUJ3WcnYVtrSbxxk4APJ7JesOtrVvfG0zUeYMWMSCdfwkF4KodqZGtJ3QATjzBea+nTD5uHk34dDyJnSJKk0ILq0jIFLho8LlWIyJH4QOXOz4qaWrv1Yq7zohspvZk7qqBfzWtq9nyRWQ1TZln6OTuRj1nSwDkH3Qwyv3P3ftVCIjgLduzJ1KxoPir\/gAp5xz8YWBMXoD3IJzkv\/PGQNpizq54tSdx\/+EwNQ0FXkMrTDVKVITAuSnBIkg9sH6JW+WpNYsbAPv3JnEFyzt8fIeM\/r0Qmf+N6zxgE9jaSg9C2Ue6YSiQO2VAdyYTxTvnFaxwR"} -01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620467988515,"flow_dst_last_pkt_time":1598620467941031,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4666,"flow_dst_tot_l4_payload_len":8428,"midstream":0,"thread_ts_usec":1598620467988515,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":112786672.0,"flow_max":3542070884,"flow_stddev":615938944.0,"c_to_s_min":2317,"c_to_s_avg":255403280.0,"c_to_s_max":3542070884,"c_to_s_stddev":911573376.0,"s_to_c_min":7,"s_to_c_avg":1862644.6,"s_to_c_max":19582580,"s_to_c_stddev":4910066.0},"pktlen": {"c_to_s_min":75,"c_to_s_avg":375.3,"c_to_s_max":1392,"c_to_s_stddev":484.2,"s_to_c_min":67,"s_to_c_avg":510.2,"s_to_c_max":1392,"s_to_c_stddev":504.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620467988515,"flow_dst_last_pkt_time":1598620467941031,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4666,"flow_dst_tot_l4_payload_len":8428,"midstream":0,"thread_ts_usec":1598620467988515,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":2164602.8,"flow_max":19582580,"flow_stddev":5209676.0,"c_to_s_min":2317,"c_to_s_avg":2582699.0,"c_to_s_max":19472426,"c_to_s_stddev":5571157.0,"s_to_c_min":7,"s_to_c_avg":1862644.6,"s_to_c_max":19582580,"s_to_c_stddev":4910066.0},"pktlen": {"c_to_s_min":75,"c_to_s_avg":375.3,"c_to_s_max":1392,"c_to_s_stddev":484.2,"s_to_c_min":67,"s_to_c_avg":510.2,"s_to_c_max":1392,"s_to_c_stddev":504.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":171,"flow_dst_packets_processed":471,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620524479693,"flow_dst_last_pkt_time":1598620524442441,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":21835,"flow_dst_tot_l4_payload_len":524919,"midstream":0,"thread_ts_usec":1598620524479693,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","packets-captured":642,"packets-processed":642,"total-skipped-flows":0,"total-l4-payload-len":546754,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1598620524479693} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/quickplay.pcap.out b/test/results/quickplay.pcap.out index 9b695015b..ccfd183b3 100644 --- a/test/results/quickplay.pcap.out +++ b/test/results/quickplay.pcap.out @@ -63,7 +63,7 @@ 01111{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1429000054688452,"flow_dst_last_pkt_time":1429000054555518,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":500,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":500,"pkt_l4_len":464,"thread_ts_usec":1429000054688452,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAeRjvEAAPwaG4wo2qfp4HCMoyykAUHABs6PLUc5cUBgk\/ZRuAABHRVQgL3NlZy92b2wxL3MvV2FybmVyL3FwbWV6emhhd2tkaWdpdGFsY29udGFnaW9uMjA1NDAzM2ZlYXR1cmVlbmdsaXNoMjBsdHJ0MjM5NzZmcHM3ODM0MTkyLzIwMTUtMDItMDIvU1RWODBSMTkyL3FwbWV6ei1IYXdrX0RpZ2l0YWxfQ09OVEFHSU9OXzIwNTQwMzNfRkVBVFVSRV9FTkdMSVNIXzJfMF9MVFJUXzIzOTc2ZnBzXzc4MzQxOTIubTJ0X1NUVjgwUjE5Mi0wMDIxLnRzIEhUVFAvMS4xDQpIb3N0OiB2b2Qtc2luZ3RlbGhhd2sucXVpY2twbGF5LmNvbQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDQuNC40OyBNSSAzVyBCdWlsZC9LVFU4NFApIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS8zMy4wLjAuMCBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KDQo="} 00792{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1429000054595190,"flow_dst_last_pkt_time":1429000054967566,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"thread_ts_usec":1429000054967566,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUEEkAArQbHccvNgWUKNqn6AFCnCorJCJ8MOwSFUBgII8UCAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwDvBAYGAAAXudj2eCNNjv4Uv\/n42\/lx"} 00791{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1429000052350287,"flow_dst_last_pkt_time":1429000055158240,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"thread_ts_usec":1429000055158240,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUJYkAArAas5svNl6AKNqn6AFDWZdcfCppPknoiUBkIIrzXAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwD\/BAgIAACTADJ0e1hwz8xBqPPud44t"} -01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1429000052217627,"flow_src_last_pkt_time":1429000090450568,"flow_dst_last_pkt_time":1429000090229285,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":444,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":8360,"flow_dst_tot_l4_payload_len":10852,"midstream":1,"thread_ts_usec":1429000090450568,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":182557,"flow_avg":2450004.5,"flow_max":5871155,"flow_stddev":1311364.0,"c_to_s_min":182557,"c_to_s_avg":2243805.0,"c_to_s_max":5871155,"c_to_s_stddev":1365772.4,"s_to_c_min":645600,"s_to_c_avg":2715118.2,"s_to_c_max":5776550,"s_to_c_stddev":1186359.2},"pktlen": {"c_to_s_min":500,"c_to_s_avg":520.4,"c_to_s_max":587,"c_to_s_stddev":34.8,"s_to_c_min":76,"s_to_c_avg":831.1,"s_to_c_max":1456,"s_to_c_stddev":469.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming"}} +01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1429000052217627,"flow_src_last_pkt_time":1429000090450568,"flow_dst_last_pkt_time":1429000090229285,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":444,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":8360,"flow_dst_tot_l4_payload_len":10852,"midstream":1,"thread_ts_usec":1429000090450568,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":182557,"flow_avg":2459503.2,"flow_max":5871155,"flow_stddev":1331263.2,"c_to_s_min":182557,"c_to_s_avg":2248996.5,"c_to_s_max":5871155,"c_to_s_stddev":1405195.5,"s_to_c_min":645600,"s_to_c_avg":2715118.2,"s_to_c_max":5776550,"s_to_c_stddev":1186359.2},"pktlen": {"c_to_s_min":500,"c_to_s_avg":520.4,"c_to_s_max":587,"c_to_s_stddev":34.8,"s_to_c_min":76,"s_to_c_avg":831.1,"s_to_c_max":1456,"s_to_c_stddev":469.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming"}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1429000110390234,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":625,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":625,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":625,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1429000110390234,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01356{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":681,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":681,"pkt_l4_len":645,"thread_ts_usec":1429000110390234,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAApm620AAPwZqrgo2qfrLzZPXi1YAUBkYU+pems3wUBgAbqLPAABQT1NUIGh0dHA6Ly9oa21pbm9yc2hvcnQud2VpeGluLnFxLmNvbS9jZ2ktYmluL21pY3JvbXNnLWJpbi9ydGt2cmVwb3J0IEhUVFAvMS4xDQpBY2NlcHQ6ICovKg0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMzU1DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KSG9zdDogaGttaW5vcnNob3J0LndlaXhpbi5xcS5jb20NClVzZXItQWdlbnQ6IE1pY3JvTWVzc2VuZ2VyIENsaWVudA0KDQqNXyYBAEFVK9B93wIQAhdIZGw+bAzfhIMAzAXaBLgCxN0BAsPj4k0n0ICdjYK52ViOWnOC4Vzgxi7+iegOsMW+oW6QdEAHg+UlyxaSBb9\/s0oeR4gum6gk+uWhqjv3Tkoz3jpOxZ3uqg5IoeAevVK78mE+75Mm5QEXaL\/24wa8I4nsiJTVEr54yg9WsIjA1I\/cd65YM57jS4+t1kJ\/xpqwwPsMfqK2G34N85Xo0uWP1F2PyLEjHiJZyK4xRu\/XYVzahdDn1vQRPtqQ3i2o6ggKNGN3kBkFa6C2GO0zTqwt7XUYqb0ppGq3KKIyPCtrTg5YICuEsfTDMTLer3J067M5VD93Ij+RkxqqGFN9+gvu+C\/smM0OksnEYsvtVnkr65ZF5Pk4qVPYHRDIlRcRHe0XzckIkJitYHFr8VSN2R6GxFfZK0YtMPQdmLxH6qLecheL3Cuuz7XcYpBc6JGpDIih+q4v"} 01248{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1429000110390234,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":625,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":625,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":625,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1429000110390234,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP_Proxy.QQ","proto_id":"131.48","encrypted":0,"breed":"Fun","category_id":9,"category":"Chat","hostname":"hkminorshort.weixin.qq.com","http": {"url":"http:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client","request_content_type":"application\/octet-stream"}}} diff --git a/test/results/rdp.pcap.out b/test/results/rdp.pcap.out index 903750621..277da8d15 100644 --- a/test/results/rdp.pcap.out +++ b/test/results/rdp.pcap.out @@ -5,7 +5,7 @@ 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1559207465138576,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":4,"pkt_l4_offset":24,"pkt_len":56,"pkt_l4_len":32,"thread_ts_usec":1559207465180991,"pkt":"AgAAAEUAADRflEAAfwYqMMCoAo6sEAK5DT3NDkeav7z5vOJZgBL6AEVOAAACBAW0AQMDAAEBBAI="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1559207465181061,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":44,"pkt_type":2048,"pkt_l3_offset":4,"pkt_l4_offset":24,"pkt_len":44,"pkt_l4_len":20,"thread_ts_usec":1559207465181061,"pkt":"AgAAAEUAACgAAEAAQAbI0KwQArnAqAKOzQ4NPfm84llHmr+9UBAgAGAaAAA="} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465181421,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":19,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1559207465181421,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465679719,"flow_dst_last_pkt_time":1559207465679652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":572,"flow_dst_max_l4_payload_len":1179,"flow_src_tot_l4_payload_len":1691,"flow_dst_tot_l4_payload_len":1900,"midstream":0,"thread_ts_usec":1559207465679719,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":149,"flow_avg":37305824.0,"flow_max":1192704128,"flow_stddev":207515664.0,"c_to_s_min":149,"c_to_s_avg":56821204.0,"c_to_s_max":1192704128,"c_to_s_stddev":253991136.0,"s_to_c_min":40251,"s_to_c_avg":49188.7,"s_to_c_max":86174,"s_to_c_stddev":12298.1},"pktlen": {"c_to_s_min":44,"c_to_s_avg":125.7,"c_to_s_max":616,"c_to_s_stddev":154.0,"s_to_c_min":44,"s_to_c_avg":217.8,"s_to_c_max":1223,"s_to_c_stddev":327.8}},"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +01467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465679719,"flow_dst_last_pkt_time":1559207465679652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":572,"flow_dst_max_l4_payload_len":1179,"flow_src_tot_l4_payload_len":1691,"flow_dst_tot_l4_payload_len":1900,"midstream":0,"thread_ts_usec":1559207465679719,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":149,"flow_avg":34910.3,"flow_max":86174,"flow_stddev":23095.5,"c_to_s_min":149,"c_to_s_avg":27057.2,"c_to_s_max":83348,"c_to_s_stddev":23870.2,"s_to_c_min":40251,"s_to_c_avg":49188.7,"s_to_c_max":86174,"s_to_c_stddev":12298.1},"pktlen": {"c_to_s_min":44,"c_to_s_avg":125.7,"c_to_s_max":616,"c_to_s_stddev":154.0,"s_to_c_min":44,"s_to_c_avg":217.8,"s_to_c_max":1223,"s_to_c_stddev":327.8}},"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01045{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2010,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":936,"flow_dst_packets_processed":1074,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207472612156,"flow_dst_last_pkt_time":1559207472692980,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":578,"flow_dst_max_l4_payload_len":1273,"flow_src_tot_l4_payload_len":17682,"flow_dst_tot_l4_payload_len":516561,"midstream":0,"thread_ts_usec":1559207472692980,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2010,"source":"rdp.pcap","alias":"nDPId-test","packets-captured":2010,"packets-processed":2010,"total-skipped-flows":0,"total-l4-payload-len":534243,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1559207472692980} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 123445/123445 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1496 chars -~~ json string avg len.......: 945 chars +~~ json string max len.......: 1472 chars +~~ json string avg len.......: 934 chars diff --git a/test/results/reasm_crash_anon.pcapng.out b/test/results/reasm_crash_anon.pcapng.out index e62032560..b846a62c7 100644 --- a/test/results/reasm_crash_anon.pcapng.out +++ b/test/results/reasm_crash_anon.pcapng.out @@ -4,7 +4,7 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1410865705717955,"flow_dst_last_pkt_time":1410865705717955,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1410865705717955,"pkt":"AAQAAQAGplhD8kgGAAAIAEUAAEEBjUAAQAbTicCokZMK0QiUyBJV7zv7Y\/\/dkdtagBghO+7bAAABAQgKPplWKzpg4vE8ZGV0YWlscyAvPg0K"} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1410865705717964,"flow_dst_last_pkt_time":1410865705717955,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1410865705717964,"pkt":"AAQAAQAGplhD8kgGAAAIAEUAAEEBjUAAQAbTicCokZMK0QiUyBJV7zv7Y\/\/dkdtagBghO+7bAAABAQgKPplWKzpg4vE8ZGV0YWlscyAvPg0K"} 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1410865705717964,"flow_dst_last_pkt_time":1410865705719465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1410865705719465,"pkt":"AAAAAQAGUrCAkIlsAAAIAEUAAH6lHkAAQAYvuwrRCJTAqJGTVe\/IEt2R21o7+2QM0BgBxZZgqqoBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAaqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg=="} -01235{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":112804016.0,"flow_max":3308720051,"flow_stddev":574170368.0,"c_to_s_min":3,"c_to_s_avg":150401056.0,"c_to_s_max":3308720051,"c_to_s_stddev":673468736.0,"s_to_c_min":1246,"s_to_c_avg":16722684.0,"s_to_c_max":30165638,"s_to_c_stddev":14956081.0},"pktlen": {"c_to_s_min":68,"c_to_s_avg":73.1,"c_to_s_max":81,"c_to_s_stddev":6.3,"s_to_c_min":122,"s_to_c_avg":421.1,"s_to_c_max":793,"s_to_c_stddev":330.0}}} +01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":9709947.0,"flow_max":30165638,"flow_stddev":14064983.0,"c_to_s_min":3,"c_to_s_avg":6841099.5,"c_to_s_max":30097711,"c_to_s_stddev":12605383.0,"s_to_c_min":1246,"s_to_c_avg":16722684.0,"s_to_c_max":30165638,"s_to_c_stddev":14956081.0},"pktlen": {"c_to_s_min":68,"c_to_s_avg":73.1,"c_to_s_max":81,"c_to_s_stddev":6.3,"s_to_c_min":122,"s_to_c_avg":421.1,"s_to_c_max":793,"s_to_c_stddev":330.0}}} 00822{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":94,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","packets-captured":94,"packets-processed":93,"total-skipped-flows":0,"total-l4-payload-len":5079,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1410866307727956} 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":170,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","packets-captured":170,"packets-processed":169,"total-skipped-flows":0,"total-l4-payload-len":6225,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1410866909737971} @@ -23,5 +23,5 @@ ~~ total allocations/frees...: 121644/121644 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1240 chars -~~ json string avg len.......: 860 chars +~~ json string max len.......: 1230 chars +~~ json string avg len.......: 855 chars diff --git a/test/results/reasm_segv_anon.pcapng.out b/test/results/reasm_segv_anon.pcapng.out index 489574a4b..92b01cb87 100644 --- a/test/results/reasm_segv_anon.pcapng.out +++ b/test/results/reasm_segv_anon.pcapng.out @@ -23,7 +23,7 @@ 00438{"packet_event_id":1,"packet_event_name":"packet","packet_id":26,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":114,"pkt_l4_len":0,"thread_ts_usec":1550422831516116,"pkt":"AAAAcxs8EFFy5LtdCABFeABkmSIAAEARXQGRTALsu2A0VQhoCGgAUAAAMv8AQAn8kEPqcwAARQAAPFk9QAB\/BgFvrBEkFT++kSvhEwBQ8LOPBjqqWZmgEAEB\/lMAAAEBBRI6qnTxOqqQSTqqZIk6qm95"} 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":30,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":114,"expected":118,"global_ts_usec":1550422833287234} 00437{"packet_event_id":1,"packet_event_name":"packet","packet_id":30,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":114,"pkt_l4_len":0,"thread_ts_usec":1550422833134009,"pkt":"AAAAcxs8EFFy5LtdCABFeABkzGMAAEARKcCRTALsu2A0VQhoCGgAUAAAMv8AQAn8kEPrcwAARQAAPFk+QAB\/BgFurBEkFT++kSvhEwBQ8LOPBjqqXxGgEAEB+NsAAAEBBRI6qnTxOqqQSTqqZIk6qm95"} -01384{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1550422828553466,"flow_src_last_pkt_time":1550422833287234,"flow_dst_last_pkt_time":1550422833289770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":640,"flow_dst_tot_l4_payload_len":27912,"midstream":0,"thread_ts_usec":1550422833289770,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":127146144.0,"flow_max":4059206634,"flow_stddev":706219136.0,"c_to_s_min":20078,"c_to_s_avg":451548928.0,"c_to_s_max":4059206634,"c_to_s_stddev":1275499776.0,"s_to_c_min":1,"s_to_c_avg":205926.3,"s_to_c_max":1799040,"s_to_c_stddev":480202.4},"pktlen": {"c_to_s_min":106,"c_to_s_avg":113.1,"c_to_s_max":122,"c_to_s_stddev":5.9,"s_to_c_min":90,"s_to_c_avg":1255.6,"s_to_c_max":1490,"s_to_c_stddev":472.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"GTP.GTP_U","proto_id":"152.271","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01365{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1550422828553466,"flow_src_last_pkt_time":1550422833287234,"flow_dst_last_pkt_time":1550422833289770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":640,"flow_dst_tot_l4_payload_len":27912,"midstream":0,"thread_ts_usec":1550422833289770,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":305486.2,"flow_max":1859119,"flow_stddev":563984.9,"c_to_s_min":20078,"c_to_s_avg":591721.0,"c_to_s_max":1859119,"c_to_s_stddev":677620.2,"s_to_c_min":1,"s_to_c_avg":205926.3,"s_to_c_max":1799040,"s_to_c_stddev":480202.4},"pktlen": {"c_to_s_min":106,"c_to_s_avg":113.1,"c_to_s_max":122,"c_to_s_stddev":5.9,"s_to_c_min":90,"s_to_c_avg":1255.6,"s_to_c_max":1490,"s_to_c_stddev":472.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"GTP.GTP_U","proto_id":"152.271","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":34,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":122,"expected":126,"global_ts_usec":1550422833447409} 00450{"packet_event_id":1,"packet_event_name":"packet","packet_id":34,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":122,"pkt_l4_len":0,"thread_ts_usec":1550422833289895,"pkt":"AAAAcxs8EFFy5LtdCABFeABsAdEAAEAR9EqRTALsu2A0VQhoCGgAWAAAMv8ASAn8kEPscwAARQAARFk\/QAB\/BgFlrBEkFT++kSvhEwBQ8LOPBjqqXxHAEAEBHQQAAAEBBRo6qqCxOqqlwTqqdPE6qpBJOqpkiTqqb3k="} 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":35,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":122,"expected":126,"global_ts_usec":1550422834706876} @@ -77,5 +77,5 @@ ~~ total allocations/frees...: 121516/121516 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 247 chars -~~ json string max len.......: 1389 chars -~~ json string avg len.......: 817 chars +~~ json string max len.......: 1370 chars +~~ json string avg len.......: 808 chars diff --git a/test/results/reddit.pcap.out b/test/results/reddit.pcap.out index 30adfe90b..799b46419 100644 --- a/test/results/reddit.pcap.out +++ b/test/results/reddit.pcap.out @@ -26,8 +26,8 @@ 01149{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684552325,"flow_dst_last_pkt_time":1605291684551717,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291684552325,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01209{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":56,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684552325,"flow_dst_last_pkt_time":1605291684592780,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291684592780,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01597{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684592921,"flow_dst_last_pkt_time":1605291684593083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291684593083,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} -01403{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291684451133,"flow_src_last_pkt_time":1605291684654464,"flow_dst_last_pkt_time":1605291684654375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":824,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":2166,"flow_dst_tot_l4_payload_len":4508,"midstream":0,"thread_ts_usec":1605291684654464,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":14253006.0,"flow_max":412930605,"flow_stddev":75342992.0,"c_to_s_min":10,"c_to_s_avg":25820872.0,"c_to_s_max":412930605,"c_to_s_stddev":99951304.0,"s_to_c_min":1,"s_to_c_avg":15634.0,"s_to_c_max":75646,"s_to_c_stddev":25088.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":221.9,"c_to_s_max":910,"c_to_s_stddev":258.8,"s_to_c_min":86,"s_to_c_avg":368.2,"s_to_c_max":1294,"s_to_c_stddev":395.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01244{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13859833.0,"flow_max":412931604,"flow_stddev":74106424.0,"c_to_s_min":6,"c_to_s_avg":29597348.0,"c_to_s_max":412931604,"c_to_s_stddev":106318296.0,"s_to_c_min":1,"s_to_c_avg":89505.6,"s_to_c_max":1228856,"s_to_c_stddev":295042.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":166.6,"c_to_s_max":603,"c_to_s_stddev":154.8,"s_to_c_min":86,"s_to_c_avg":606.1,"s_to_c_max":1134,"s_to_c_stddev":487.1}}} +01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291684451133,"flow_src_last_pkt_time":1605291684654464,"flow_dst_last_pkt_time":1605291684654375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":824,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":2166,"flow_dst_tot_l4_payload_len":4508,"midstream":0,"thread_ts_usec":1605291684654464,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":14520.5,"flow_max":75646,"flow_stddev":23887.5,"c_to_s_min":10,"c_to_s_avg":13555.4,"c_to_s_max":75219,"c_to_s_stddev":22751.6,"s_to_c_min":1,"s_to_c_avg":15634.0,"s_to_c_max":75646,"s_to_c_stddev":25088.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":221.9,"c_to_s_max":910,"c_to_s_stddev":258.8,"s_to_c_min":86,"s_to_c_avg":368.2,"s_to_c_max":1294,"s_to_c_stddev":395.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01230{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":98736.8,"flow_max":1287577,"flow_stddev":316362.8,"c_to_s_min":6,"c_to_s_avg":110098.4,"c_to_s_max":1287577,"c_to_s_stddev":340433.3,"s_to_c_min":1,"s_to_c_avg":89505.6,"s_to_c_max":1228856,"s_to_c_stddev":295042.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":166.6,"c_to_s_max":603,"c_to_s_stddev":154.8,"s_to_c_min":86,"s_to_c_avg":606.1,"s_to_c_max":1134,"s_to_c_stddev":487.1}}} 01601{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686035717,"flow_src_last_pkt_time":1605291686035717,"flow_dst_last_pkt_time":1605291686035717,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686035717,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686035717,"flow_dst_last_pkt_time":1605291686035717,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686035717,"pkt":"qtsDr8lk5EKm5WPyht1gDzZzACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PIBu+DxzH8AAAAAoAL9INmFAAACBAWgBAIICql05ecAAAAAAQMDBw=="} @@ -137,16 +137,16 @@ 01591{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":738,"source":"reddit.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686064586,"flow_src_last_pkt_time":1605291686146132,"flow_dst_last_pkt_time":1605291686146919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686146919,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56586,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}} 01212{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":751,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1605291686064604,"flow_src_last_pkt_time":1605291686146162,"flow_dst_last_pkt_time":1605291686148836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686148836,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01591{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":754,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686064604,"flow_src_last_pkt_time":1605291686146162,"flow_dst_last_pkt_time":1605291686148836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686148836,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}} -01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":779,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1605291686035769,"flow_src_last_pkt_time":1605291686160496,"flow_dst_last_pkt_time":1605291686157690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1388,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":3806,"flow_dst_tot_l4_payload_len":3988,"midstream":0,"thread_ts_usec":1605291686160496,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9163.8,"flow_max":41517,"flow_stddev":15061.3,"c_to_s_min":3,"c_to_s_avg":7370.8,"c_to_s_max":40177,"c_to_s_stddev":14005.4,"s_to_c_min":1,"s_to_c_avg":13546.8,"s_to_c_max":41517,"s_to_c_stddev":16577.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":259.4,"c_to_s_max":1474,"c_to_s_stddev":294.7,"s_to_c_min":86,"s_to_c_avg":485.6,"s_to_c_max":1134,"s_to_c_stddev":451.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":779,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1605291686035769,"flow_src_last_pkt_time":1605291686160496,"flow_dst_last_pkt_time":1605291686157690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1388,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":3806,"flow_dst_tot_l4_payload_len":3988,"midstream":0,"thread_ts_usec":1605291686160496,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8221.6,"flow_max":41517,"flow_stddev":14383.5,"c_to_s_min":3,"c_to_s_avg":5939.4,"c_to_s_max":40177,"c_to_s_stddev":12665.5,"s_to_c_min":1,"s_to_c_avg":13546.8,"s_to_c_max":41517,"s_to_c_stddev":16577.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":259.4,"c_to_s_max":1474,"c_to_s_stddev":294.7,"s_to_c_min":86,"s_to_c_avg":485.6,"s_to_c_max":1134,"s_to_c_stddev":451.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":807,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686129954,"flow_dst_last_pkt_time":1605291686182404,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182404,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01621{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":809,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686129954,"flow_dst_last_pkt_time":1605291686182405,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686182405,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":811,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686130302,"flow_dst_last_pkt_time":1605291686182406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182406,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01621{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":818,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686182436,"flow_dst_last_pkt_time":1605291686183890,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686183890,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} -01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10018.1,"flow_max":48292,"flow_stddev":16074.6,"c_to_s_min":4,"c_to_s_avg":9281.5,"c_to_s_max":39329,"c_to_s_stddev":14990.2,"s_to_c_min":1,"s_to_c_avg":10868.0,"s_to_c_max":48292,"s_to_c_stddev":17202.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":189.9,"c_to_s_max":603,"c_to_s_stddev":166.7,"s_to_c_min":86,"s_to_c_avg":629.9,"s_to_c_max":1134,"s_to_c_stddev":491.7}}} +01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10367.1,"flow_max":48292,"flow_stddev":16265.1,"c_to_s_min":4,"c_to_s_avg":9902.0,"c_to_s_max":39329,"c_to_s_stddev":15329.1,"s_to_c_min":1,"s_to_c_avg":10868.0,"s_to_c_max":48292,"s_to_c_stddev":17202.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":189.9,"c_to_s_max":603,"c_to_s_stddev":166.7,"s_to_c_min":86,"s_to_c_avg":629.9,"s_to_c_max":1134,"s_to_c_stddev":491.7}}} 01625{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"styles.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} -01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10937.1,"flow_max":60278,"flow_stddev":19470.8,"c_to_s_min":2,"c_to_s_avg":8524.1,"c_to_s_max":57438,"c_to_s_stddev":17302.9,"s_to_c_min":1,"s_to_c_avg":15495.1,"s_to_c_max":60278,"s_to_c_stddev":22314.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":178.4,"c_to_s_max":603,"c_to_s_stddev":151.1,"s_to_c_min":86,"s_to_c_avg":462.2,"s_to_c_max":1134,"s_to_c_stddev":445.2}}} +01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11195.6,"flow_max":60278,"flow_stddev":19812.6,"c_to_s_min":2,"c_to_s_avg":8777.1,"c_to_s_max":57438,"c_to_s_stddev":17804.9,"s_to_c_min":1,"s_to_c_avg":15495.1,"s_to_c_max":60278,"s_to_c_stddev":22314.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":178.4,"c_to_s_max":603,"c_to_s_stddev":151.1,"s_to_c_min":86,"s_to_c_avg":462.2,"s_to_c_max":1134,"s_to_c_stddev":445.2}}} 01594{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}} -01222{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10634.1,"flow_max":52464,"flow_stddev":19225.8,"c_to_s_min":2,"c_to_s_avg":10020.4,"c_to_s_max":52464,"c_to_s_stddev":18359.0,"s_to_c_min":1,"s_to_c_avg":11389.5,"s_to_c_max":50980,"s_to_c_stddev":20216.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":155.7,"c_to_s_max":603,"c_to_s_stddev":140.3,"s_to_c_min":86,"s_to_c_avg":598.2,"s_to_c_max":1134,"s_to_c_stddev":489.7}}} +01221{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10575.8,"flow_max":52464,"flow_stddev":19563.6,"c_to_s_min":2,"c_to_s_avg":9870.5,"c_to_s_max":52464,"c_to_s_stddev":18951.6,"s_to_c_min":1,"s_to_c_avg":11389.5,"s_to_c_max":50980,"s_to_c_stddev":20216.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":155.7,"c_to_s_max":603,"c_to_s_stddev":140.3,"s_to_c_min":86,"s_to_c_avg":598.2,"s_to_c_max":1134,"s_to_c_stddev":489.7}}} 01625{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686301196,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686301196,"pkt":"qtsDr8lk5EKm5WPyht1gDu9XACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3RIBuyQ3ML0AAAAAoAL9IDDZAAACBAWgBAIICql05vEAAAAAAQMDBw=="} @@ -155,7 +155,7 @@ 01162{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1211,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686327034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686327471,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1398,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686419456,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686419456,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01646{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1406,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686419467,"flow_dst_last_pkt_time":1605291686420291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686420291,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}} -01221{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12455.7,"flow_max":91996,"flow_stddev":23307.4,"c_to_s_min":1,"c_to_s_avg":9932.5,"c_to_s_max":91996,"c_to_s_stddev":23779.5,"s_to_c_min":1,"s_to_c_avg":16745.0,"s_to_c_max":66367,"s_to_c_stddev":21822.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":149.9,"c_to_s_max":603,"c_to_s_stddev":138.8,"s_to_c_min":86,"s_to_c_avg":635.0,"s_to_c_max":1134,"s_to_c_stddev":486.5}}} +01222{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12918.2,"flow_max":91996,"flow_stddev":23629.4,"c_to_s_min":1,"c_to_s_avg":10526.4,"c_to_s_max":91996,"c_to_s_stddev":24388.7,"s_to_c_min":1,"s_to_c_avg":16745.0,"s_to_c_max":66367,"s_to_c_stddev":21822.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":149.9,"c_to_s_max":603,"c_to_s_stddev":138.8,"s_to_c_min":86,"s_to_c_avg":635.0,"s_to_c_max":1134,"s_to_c_stddev":486.5}}} 01649{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686985114,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686985114,"pkt":"qtsDr8lk5EKm5WPyht1gAMi0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxxABu7duD88AAAAAoAL9IJsfAAACBAWgBAIIClRf4AwAAAAAAQMDBw=="} @@ -175,10 +175,10 @@ 01219{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1938,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687016854,"flow_dst_last_pkt_time":1605291687060476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291687060476,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01200{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1949,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687024727,"flow_dst_last_pkt_time":1605291687075726,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687075726,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1962,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687024606,"flow_dst_last_pkt_time":1605291687096859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687096859,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"c.aaxads.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01388{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1994,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":24140.3,"flow_max":450114,"flow_stddev":81777.0,"c_to_s_min":5,"c_to_s_avg":35940.4,"c_to_s_max":450114,"c_to_s_stddev":107898.4,"s_to_c_min":90,"s_to_c_avg":9617.0,"s_to_c_max":37718,"s_to_c_stddev":14394.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.8,"c_to_s_max":603,"c_to_s_stddev":134.6,"s_to_c_min":86,"s_to_c_avg":726.1,"s_to_c_max":1294,"s_to_c_stddev":542.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":25118.5,"flow_max":450710,"flow_stddev":83359.9,"c_to_s_min":2,"c_to_s_avg":33942.5,"c_to_s_max":450710,"c_to_s_stddev":105322.8,"s_to_c_min":1,"s_to_c_avg":11481.5,"s_to_c_max":38538,"s_to_c_stddev":15433.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":143.1,"c_to_s_max":603,"c_to_s_stddev":131.1,"s_to_c_min":86,"s_to_c_avg":852.5,"s_to_c_max":1474,"s_to_c_stddev":668.5}}} +01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1994,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":8926.9,"flow_max":43636,"flow_stddev":14641.6,"c_to_s_min":5,"c_to_s_avg":8328.9,"c_to_s_max":43636,"c_to_s_stddev":14826.6,"s_to_c_min":90,"s_to_c_avg":9617.0,"s_to_c_max":37718,"s_to_c_stddev":14394.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.8,"c_to_s_max":603,"c_to_s_stddev":134.6,"s_to_c_min":86,"s_to_c_avg":726.1,"s_to_c_max":1294,"s_to_c_stddev":542.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9355.9,"flow_max":51019,"flow_stddev":15790.2,"c_to_s_min":2,"c_to_s_avg":7894.6,"c_to_s_max":51019,"c_to_s_stddev":15866.7,"s_to_c_min":1,"s_to_c_avg":11481.5,"s_to_c_max":38538,"s_to_c_stddev":15433.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":143.1,"c_to_s_max":603,"c_to_s_stddev":131.1,"s_to_c_min":86,"s_to_c_avg":852.5,"s_to_c_max":1474,"s_to_c_stddev":668.5}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2070,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687186026,"flow_dst_last_pkt_time":1605291687186023,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":998,"flow_dst_tot_l4_payload_len":10536,"midstream":0,"thread_ts_usec":1605291687186026,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":31117.0,"flow_max":461891,"flow_stddev":86588.8,"c_to_s_min":3,"c_to_s_avg":43401.7,"c_to_s_max":461891,"c_to_s_stddev":113940.7,"s_to_c_min":1,"s_to_c_avg":15761.0,"s_to_c_max":37313,"s_to_c_stddev":14733.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":153.1,"c_to_s_max":603,"c_to_s_stddev":139.8,"s_to_c_min":86,"s_to_c_avg":706.2,"s_to_c_max":1474,"s_to_c_stddev":645.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2070,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687186026,"flow_dst_last_pkt_time":1605291687186023,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":998,"flow_dst_tot_l4_payload_len":10536,"midstream":0,"thread_ts_usec":1605291687186026,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":14548.7,"flow_max":72269,"flow_stddev":19347.3,"c_to_s_min":3,"c_to_s_avg":13509.6,"c_to_s_max":72269,"c_to_s_stddev":22511.1,"s_to_c_min":1,"s_to_c_avg":15761.0,"s_to_c_max":37313,"s_to_c_stddev":14733.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":153.1,"c_to_s_max":603,"c_to_s_stddev":139.8,"s_to_c_min":86,"s_to_c_avg":706.2,"s_to_c_max":1474,"s_to_c_stddev":645.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687485783,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687485783,"pkt":"qtsDr8lk5EKm5WPyht1gDGJhACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RLCx1IBu5\/PXZ4AAAAAoAL9IP2VAAACBAWgBAIICruOxrcAAAAAAQMDBw=="} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2341,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687512994,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687512994,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAKzZEsIqAcsBIEmLB5kd7IUo3\/YpAbvHUvrRnoyfz12foBJXgAjWAAACBAV4AQMDAwQCCArC1z5Fu47Gtw=="} @@ -192,8 +192,8 @@ 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687513279,"flow_dst_last_pkt_time":1605291687552593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687552593,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"securepubads.g.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01219{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2382,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687545503,"flow_dst_last_pkt_time":1605291687606576,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291687606576,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687606628,"flow_dst_last_pkt_time":1605291687606672,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291687606672,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}}} -01381{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2397,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687606682,"flow_dst_last_pkt_time":1605291687608302,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":978,"flow_dst_tot_l4_payload_len":10865,"midstream":0,"thread_ts_usec":1605291687608302,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":9633.0,"flow_max":49462,"flow_stddev":14962.4,"c_to_s_min":5,"c_to_s_avg":8598.2,"c_to_s_max":49462,"c_to_s_stddev":15486.0,"s_to_c_min":2,"s_to_c_avg":11138.1,"s_to_c_max":39448,"s_to_c_stddev":14030.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":147.6,"c_to_s_max":603,"c_to_s_stddev":135.8,"s_to_c_min":86,"s_to_c_avg":765.6,"s_to_c_max":1474,"s_to_c_stddev":644.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8481.7,"flow_max":61125,"flow_stddev":16007.8,"c_to_s_min":2,"c_to_s_avg":7535.6,"c_to_s_max":61125,"c_to_s_stddev":16389.0,"s_to_c_min":1,"s_to_c_avg":9719.0,"s_to_c_max":47450,"s_to_c_stddev":15407.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.0,"c_to_s_max":603,"c_to_s_stddev":132.0,"s_to_c_min":86,"s_to_c_avg":639.3,"s_to_c_max":1134,"s_to_c_stddev":487.6}}} +01381{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2397,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687606682,"flow_dst_last_pkt_time":1605291687608302,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":978,"flow_dst_tot_l4_payload_len":10865,"midstream":0,"thread_ts_usec":1605291687608302,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":9362.2,"flow_max":49462,"flow_stddev":15182.4,"c_to_s_min":5,"c_to_s_avg":8059.9,"c_to_s_max":49462,"c_to_s_stddev":15848.3,"s_to_c_min":2,"s_to_c_avg":11138.1,"s_to_c_max":39448,"s_to_c_stddev":14030.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":147.6,"c_to_s_max":603,"c_to_s_stddev":135.8,"s_to_c_min":86,"s_to_c_avg":765.6,"s_to_c_max":1474,"s_to_c_stddev":644.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8714.2,"flow_max":61125,"flow_stddev":16231.6,"c_to_s_min":2,"c_to_s_avg":7897.9,"c_to_s_max":61125,"c_to_s_stddev":16827.2,"s_to_c_min":1,"s_to_c_avg":9719.0,"s_to_c_max":47450,"s_to_c_stddev":15407.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.0,"c_to_s_max":603,"c_to_s_stddev":132.0,"s_to_c_min":86,"s_to_c_avg":639.3,"s_to_c_max":1134,"s_to_c_stddev":487.6}}} 01667{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687642048,"flow_dst_last_pkt_time":1605291687642048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687642048,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687642048,"flow_dst_last_pkt_time":1605291687642048,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687642048,"pkt":"qtsDr8lk5EKm5WPyht1gDI7+ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACAImmABu4PHuxgAAAAAoAL9IGTNAAACBAWgBAIICsL4XLwAAAAAAQMDBw=="} @@ -203,7 +203,7 @@ 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687678071,"flow_dst_last_pkt_time":1605291687721930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291687721930,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagmanager.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687761761,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687761761,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687761761,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687761761,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687761761,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bcAAAAAoAL9IFSZAAACBAWgBAIIClvEqOkAAAAAAQMDBw=="} -01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2589,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687769797,"flow_dst_last_pkt_time":1605291687770512,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":967,"flow_dst_tot_l4_payload_len":10018,"midstream":0,"thread_ts_usec":1605291687770512,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8571.3,"flow_max":43870,"flow_stddev":14475.8,"c_to_s_min":3,"c_to_s_avg":8042.2,"c_to_s_max":43870,"c_to_s_stddev":14428.9,"s_to_c_min":1,"s_to_c_avg":9176.0,"s_to_c_max":38053,"s_to_c_stddev":14505.6},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.9,"c_to_s_max":603,"c_to_s_stddev":134.8,"s_to_c_min":86,"s_to_c_avg":712.6,"s_to_c_max":1294,"s_to_c_stddev":543.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2589,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687769797,"flow_dst_last_pkt_time":1605291687770512,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":967,"flow_dst_tot_l4_payload_len":10018,"midstream":0,"thread_ts_usec":1605291687770512,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8834.9,"flow_max":43870,"flow_stddev":14652.3,"c_to_s_min":3,"c_to_s_avg":8516.6,"c_to_s_max":43870,"c_to_s_stddev":14780.8,"s_to_c_min":1,"s_to_c_avg":9176.0,"s_to_c_max":38053,"s_to_c_stddev":14505.6},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.9,"c_to_s_max":603,"c_to_s_stddev":134.8,"s_to_c_min":86,"s_to_c_avg":712.6,"s_to_c_max":1294,"s_to_c_stddev":543.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2609,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687790624,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAGhTs9EqAcsBIEmLB5kd7IUo3\/YpAbuAylJzVUg0Stm4oBJXgFBhAAACBAV4AQMDAwQCCArC1z9gW8So6Q=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2610,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":1605291687790646,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291687790646,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bhSc1VJgBAB+9RVAAABAQgKW8SpBsLXP2A="} 01135{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291687761761,"flow_src_last_pkt_time":1605291687790793,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687790793,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.aaxdetect.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} @@ -240,9 +240,9 @@ 01714{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3147,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291687974969,"flow_dst_last_pkt_time":1605291688036418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3364,"midstream":0,"thread_ts_usec":1605291688036418,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}} 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3171,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291687829706,"flow_dst_last_pkt_time":1605291688046248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688046248,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01787{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688046258,"flow_dst_last_pkt_time":1605291688046580,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3439,"midstream":0,"thread_ts_usec":1605291688046580,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}} -01243{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":21674.6,"flow_max":180245,"flow_stddev":39254.6,"c_to_s_min":3,"c_to_s_avg":20330.8,"c_to_s_max":94049,"c_to_s_stddev":32326.8,"s_to_c_min":1,"s_to_c_avg":23210.4,"s_to_c_max":180245,"s_to_c_stddev":45861.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":167.5,"c_to_s_max":603,"c_to_s_stddev":141.7,"s_to_c_min":86,"s_to_c_avg":754.3,"s_to_c_max":1474,"s_to_c_stddev":650.3}}} +01243{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":22403.4,"flow_max":180245,"flow_stddev":39725.6,"c_to_s_min":3,"c_to_s_avg":21650.3,"c_to_s_max":94049,"c_to_s_stddev":32967.2,"s_to_c_min":1,"s_to_c_avg":23210.4,"s_to_c_max":180245,"s_to_c_stddev":45861.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":167.5,"c_to_s_max":603,"c_to_s_stddev":141.7,"s_to_c_min":86,"s_to_c_avg":754.3,"s_to_c_max":1474,"s_to_c_stddev":650.3}}} 01718{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}} -01375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3311,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687931808,"flow_src_last_pkt_time":1605291688275672,"flow_dst_last_pkt_time":1605291688275738,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1514,"flow_dst_tot_l4_payload_len":8800,"midstream":0,"thread_ts_usec":1605291688275738,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":23096.0,"flow_max":168765,"flow_stddev":38604.6,"c_to_s_min":5,"c_to_s_avg":20526.4,"c_to_s_max":91732,"c_to_s_stddev":31609.0,"s_to_c_min":2,"s_to_c_avg":26456.2,"s_to_c_max":168765,"s_to_c_stddev":45964.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":175.5,"c_to_s_max":603,"c_to_s_stddev":166.7,"s_to_c_min":86,"s_to_c_avg":673.2,"s_to_c_max":1294,"s_to_c_stddev":548.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3311,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687931808,"flow_src_last_pkt_time":1605291688275672,"flow_dst_last_pkt_time":1605291688275738,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1514,"flow_dst_tot_l4_payload_len":8800,"midstream":0,"thread_ts_usec":1605291688275738,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":23717.0,"flow_max":168765,"flow_stddev":39116.9,"c_to_s_min":5,"c_to_s_avg":21491.5,"c_to_s_max":91732,"c_to_s_stddev":32337.9,"s_to_c_min":2,"s_to_c_avg":26456.2,"s_to_c_max":168765,"s_to_c_stddev":45964.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":175.5,"c_to_s_max":603,"c_to_s_stddev":166.7,"s_to_c_min":86,"s_to_c_avg":673.2,"s_to_c_max":1294,"s_to_c_stddev":548.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688324076,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688324076,"pkt":"qtsDr8lk5EKm5WPyht1gDP1bACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx5wBu0pXpjQAAAAAoAL9INe7AAACBAWgBAIICn8mSwwAAAAAAQMDBw=="} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3358,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688336354,"flow_dst_last_pkt_time":1605291688336354,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688336354,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -261,8 +261,8 @@ 01210{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3517,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688365341,"flow_dst_last_pkt_time":1605291688408044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688408044,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"ad.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01210{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3521,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688371089,"flow_dst_last_pkt_time":1605291688408514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688408514,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"ad.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01201{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3538,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688344280,"flow_src_last_pkt_time":1605291688372055,"flow_dst_last_pkt_time":1605291688411963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688411963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:9000:219c:ee00:6:44e3:f8c0:93a1","src_port":56186,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"rules.quantcount.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01384{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3794,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12339.8,"flow_max":59079,"flow_stddev":16949.0,"c_to_s_min":17,"c_to_s_avg":12412.9,"c_to_s_max":59079,"c_to_s_stddev":18728.1,"s_to_c_min":1,"s_to_c_avg":12245.8,"s_to_c_max":41079,"s_to_c_stddev":14340.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":164.3,"c_to_s_max":603,"c_to_s_stddev":146.9,"s_to_c_min":86,"s_to_c_avg":392.1,"s_to_c_max":1474,"s_to_c_stddev":493.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":47185.7,"flow_max":216552,"flow_stddev":67245.7,"c_to_s_min":7,"c_to_s_avg":43933.0,"c_to_s_max":216552,"c_to_s_stddev":68022.9,"s_to_c_min":1,"s_to_c_avg":50655.2,"s_to_c_max":211900,"s_to_c_stddev":66230.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":177.8,"c_to_s_max":603,"c_to_s_stddev":145.3,"s_to_c_min":86,"s_to_c_avg":367.0,"s_to_c_max":1474,"s_to_c_stddev":459.1}}} +01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3794,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10832.1,"flow_max":42730,"flow_stddev":14959.8,"c_to_s_min":17,"c_to_s_avg":9667.9,"c_to_s_max":42730,"c_to_s_stddev":15353.7,"s_to_c_min":1,"s_to_c_avg":12245.8,"s_to_c_max":41079,"s_to_c_stddev":14340.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":164.3,"c_to_s_max":603,"c_to_s_stddev":146.9,"s_to_c_min":86,"s_to_c_avg":392.1,"s_to_c_max":1474,"s_to_c_stddev":493.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":48119.6,"flow_max":216552,"flow_stddev":68159.2,"c_to_s_min":7,"c_to_s_avg":45584.1,"c_to_s_max":216552,"c_to_s_stddev":69942.6,"s_to_c_min":1,"s_to_c_avg":50655.2,"s_to_c_max":211900,"s_to_c_stddev":66230.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":177.8,"c_to_s_max":603,"c_to_s_stddev":145.3,"s_to_c_min":86,"s_to_c_avg":367.0,"s_to_c_max":1474,"s_to_c_stddev":459.1}}} 01790{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}} 00803{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688611238,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688611238,"pkt":"qtsDr8lk5EKm5WPyht1gDEO\/ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATQaDRQpB0IHggC2mzgBu\/F3Z44AAAAAoAL9IIe6AAACBAWgBAIICvY2BR4AAAAAAQMDBw=="} @@ -280,7 +280,7 @@ 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4267,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688749044,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688786435,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgFAAAAAAAAIAQqAcsBIEmLB5kd7IUo3\/YpAbvfwoEYYXPjQDuzoBJXgOVIAAACBAV4AQMDAwQCCArC10M\/bf\/I8g=="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4268,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1605291688786460,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291688786460,"pkt":"qtsDr8lk5EKm5WPyht1gCJDMACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAE38IBu+NAO7OBGGF0gBAB+2k0AAABAQgKbf\/JGMLXQz8="} 01155{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4269,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688786633,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688786633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01391{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688786771,"flow_dst_last_pkt_time":1605291688811895,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1624,"flow_dst_tot_l4_payload_len":5905,"midstream":0,"thread_ts_usec":1605291688811895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12699.9,"flow_max":51136,"flow_stddev":17930.4,"c_to_s_min":3,"c_to_s_avg":11271.2,"c_to_s_max":51136,"c_to_s_stddev":18509.2,"s_to_c_min":1,"s_to_c_avg":14332.6,"s_to_c_max":43010,"s_to_c_stddev":17099.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":188.0,"c_to_s_max":609,"c_to_s_stddev":183.6,"s_to_c_min":86,"s_to_c_avg":455.6,"s_to_c_max":1294,"s_to_c_stddev":494.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01391{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688786771,"flow_dst_last_pkt_time":1605291688811895,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1624,"flow_dst_tot_l4_payload_len":5905,"midstream":0,"thread_ts_usec":1605291688811895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12972.1,"flow_max":51136,"flow_stddev":18175.8,"c_to_s_min":3,"c_to_s_avg":11702.2,"c_to_s_max":51136,"c_to_s_stddev":19038.4,"s_to_c_min":1,"s_to_c_avg":14332.6,"s_to_c_max":43010,"s_to_c_stddev":17099.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":188.0,"c_to_s_max":609,"c_to_s_stddev":183.6,"s_to_c_min":86,"s_to_c_avg":455.6,"s_to_c_max":1294,"s_to_c_stddev":494.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":4414,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688712501,"flow_src_last_pkt_time":1605291688754330,"flow_dst_last_pkt_time":1605291688813598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688813598,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"static.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688830061,"flow_dst_last_pkt_time":1605291688830061,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688830061,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688830061,"flow_dst_last_pkt_time":1605291688830061,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688830061,"pkt":"qtsDr8lk5EKm5WPyht1gBrB0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAB4woBuyKqv5AAAAAAoAL9IFwjAAACBAWgBAIICu7gTZEAAAAAAQMDBw=="} @@ -302,15 +302,15 @@ 01150{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4861,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688894065,"flow_dst_last_pkt_time":1605291688893806,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688894065,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688831210,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688894545,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgVAAAAAAAAIBYqAcsBIEmLB5kd7IUo3\/YpAbvMSCvRvaZMy7vtoBJXgIUlAAACBAV4AQMDAwQCCArC10OaRJp0xw=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4867,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1605291688894570,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291688894570,"pkt":"qtsDr8lk5EKm5WPyht1gDPOvACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFQAAAAAAACAWzEgBu0zLu+0r0b2ngBAB+wj4AAABAQgKRJp1BsLXQ5o="} -01375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688895635,"flow_dst_last_pkt_time":1605291688895679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":990,"flow_dst_tot_l4_payload_len":9898,"midstream":0,"thread_ts_usec":1605291688895679,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9820.4,"flow_max":62320,"flow_stddev":17738.3,"c_to_s_min":13,"c_to_s_avg":9248.6,"c_to_s_max":62320,"c_to_s_stddev":18503.8,"s_to_c_min":1,"s_to_c_avg":10473.9,"s_to_c_max":47446,"s_to_c_stddev":16797.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.4,"c_to_s_max":603,"c_to_s_stddev":137.0,"s_to_c_min":86,"s_to_c_avg":705.1,"s_to_c_max":1294,"s_to_c_stddev":541.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01376{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688895635,"flow_dst_last_pkt_time":1605291688895679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":990,"flow_dst_tot_l4_payload_len":9898,"midstream":0,"thread_ts_usec":1605291688895679,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10111.2,"flow_max":62320,"flow_stddev":17971.1,"c_to_s_min":13,"c_to_s_avg":9772.7,"c_to_s_max":62320,"c_to_s_stddev":18995.3,"s_to_c_min":1,"s_to_c_avg":10473.9,"s_to_c_max":47446,"s_to_c_stddev":16797.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.4,"c_to_s_max":603,"c_to_s_stddev":137.0,"s_to_c_min":86,"s_to_c_avg":705.1,"s_to_c_max":1294,"s_to_c_stddev":541.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01148{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4885,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291688895701,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688895701,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01195{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5588,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688894065,"flow_dst_last_pkt_time":1605291688963049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01193{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5606,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291688895701,"flow_dst_last_pkt_time":1605291688963101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963101,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291688889651,"flow_dst_last_pkt_time":1605291688963103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963103,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fonts.gstatic.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5621,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688843948,"flow_src_last_pkt_time":1605291688889830,"flow_dst_last_pkt_time":1605291688963145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963145,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fonts.gstatic.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5669,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291689005944,"flow_dst_last_pkt_time":1605291689006046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":8982,"midstream":0,"thread_ts_usec":1605291689006046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12596.0,"flow_max":68993,"flow_stddev":23620.3,"c_to_s_min":6,"c_to_s_avg":11780.3,"c_to_s_max":68993,"c_to_s_stddev":22516.2,"s_to_c_min":1,"s_to_c_avg":13537.3,"s_to_c_max":68524,"s_to_c_stddev":24800.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":155.8,"c_to_s_max":603,"c_to_s_stddev":146.1,"s_to_c_min":86,"s_to_c_avg":614.8,"s_to_c_max":1294,"s_to_c_stddev":528.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} -01377{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5691,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291689013039,"flow_dst_last_pkt_time":1605291689013078,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":9699,"midstream":0,"thread_ts_usec":1605291689013078,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13854.9,"flow_max":73480,"flow_stddev":22834.4,"c_to_s_min":3,"c_to_s_avg":14538.2,"c_to_s_max":73480,"c_to_s_stddev":23911.8,"s_to_c_min":1,"s_to_c_avg":13013.8,"s_to_c_max":65680,"s_to_c_stddev":21404.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":154.4,"c_to_s_max":603,"c_to_s_stddev":137.7,"s_to_c_min":86,"s_to_c_avg":692.7,"s_to_c_max":1294,"s_to_c_stddev":552.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01374{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5714,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291689029453,"flow_dst_last_pkt_time":1605291689029440,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1007,"flow_dst_tot_l4_payload_len":10130,"midstream":0,"thread_ts_usec":1605291689029453,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13709.0,"flow_max":67787,"flow_stddev":22817.0,"c_to_s_min":6,"c_to_s_avg":12458.1,"c_to_s_max":67414,"c_to_s_stddev":21480.1,"s_to_c_min":1,"s_to_c_avg":15248.5,"s_to_c_max":67787,"s_to_c_stddev":24273.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":149.4,"c_to_s_max":603,"c_to_s_stddev":138.8,"s_to_c_min":86,"s_to_c_avg":719.6,"s_to_c_max":1294,"s_to_c_stddev":544.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5669,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291689005944,"flow_dst_last_pkt_time":1605291689006046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":8982,"midstream":0,"thread_ts_usec":1605291689006046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13032.1,"flow_max":68993,"flow_stddev":23942.8,"c_to_s_min":6,"c_to_s_avg":12563.1,"c_to_s_max":68993,"c_to_s_stddev":23108.5,"s_to_c_min":1,"s_to_c_avg":13537.3,"s_to_c_max":68524,"s_to_c_stddev":24800.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":155.8,"c_to_s_max":603,"c_to_s_stddev":146.1,"s_to_c_min":86,"s_to_c_avg":614.8,"s_to_c_max":1294,"s_to_c_stddev":528.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01377{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5691,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291689013039,"flow_dst_last_pkt_time":1605291689013078,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":9699,"midstream":0,"thread_ts_usec":1605291689013078,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12082.8,"flow_max":73480,"flow_stddev":21188.9,"c_to_s_min":3,"c_to_s_avg":11276.0,"c_to_s_max":73480,"c_to_s_stddev":20967.0,"s_to_c_min":1,"s_to_c_avg":13013.8,"s_to_c_max":65680,"s_to_c_stddev":21404.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":154.4,"c_to_s_max":603,"c_to_s_stddev":137.7,"s_to_c_min":86,"s_to_c_avg":692.7,"s_to_c_max":1294,"s_to_c_stddev":552.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01374{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5714,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291689029453,"flow_dst_last_pkt_time":1605291689029440,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1007,"flow_dst_tot_l4_payload_len":10130,"midstream":0,"thread_ts_usec":1605291689029453,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":14159.8,"flow_max":67787,"flow_stddev":23093.6,"c_to_s_min":6,"c_to_s_avg":13216.2,"c_to_s_max":67414,"c_to_s_stddev":21976.4,"s_to_c_min":1,"s_to_c_avg":15248.5,"s_to_c_max":67787,"s_to_c_stddev":24273.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":149.4,"c_to_s_max":603,"c_to_s_stddev":138.8,"s_to_c_min":86,"s_to_c_avg":719.6,"s_to_c_max":1294,"s_to_c_stddev":544.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689408040,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291689408040,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689408040,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291689408040,"pkt":"qtsDr8lk5EKm5WPyht1gCYSFACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3UABuxOPoYYAAAAAoAL9IMRnAAACBAWgBAIICql08xMAAAAAAQMDBw=="} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7110,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689433785,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291689433785,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdQHZ86cETj6GHoBJXgAFCAAACBAV4AQMDAwQCCArC10XLqXTzEw=="} @@ -318,7 +318,7 @@ 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7112,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689433785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291689434011,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01216{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8671,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689577976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291689577976,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01604{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8678,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689578012,"flow_dst_last_pkt_time":1605291689578047,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291689578047,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} -01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":17040.4,"flow_max":144189,"flow_stddev":36882.7,"c_to_s_min":4,"c_to_s_avg":15446.7,"c_to_s_max":143997,"c_to_s_stddev":35610.9,"s_to_c_min":1,"s_to_c_avg":18861.7,"s_to_c_max":144189,"s_to_c_stddev":38203.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":193.4,"c_to_s_max":603,"c_to_s_stddev":178.7,"s_to_c_min":86,"s_to_c_avg":361.0,"s_to_c_max":1134,"s_to_c_stddev":399.8}}} +01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":16756.9,"flow_max":144189,"flow_stddev":37481.1,"c_to_s_min":4,"c_to_s_avg":14792.5,"c_to_s_max":143997,"c_to_s_stddev":36685.6,"s_to_c_min":1,"s_to_c_avg":18861.7,"s_to_c_max":144189,"s_to_c_stddev":38203.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":193.4,"c_to_s_max":603,"c_to_s_stddev":178.7,"s_to_c_min":86,"s_to_c_avg":361.0,"s_to_c_max":1134,"s_to_c_stddev":399.8}}} 01607{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690373466,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690373466,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690373466,"pkt":"qtsDr8lk5EKm5WPyht1gB68TACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxz4Buz6Su2UAAAAAoAL9IFr7AAACBAWgBAIIClRf7UgAAAAAAQMDBw=="} @@ -345,8 +345,8 @@ 01262{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9134,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690449801,"flow_dst_last_pkt_time":1605291690483975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291690483975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690405354,"flow_src_last_pkt_time":1605291690440589,"flow_dst_last_pkt_time":1605291690501383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1360,"midstream":0,"thread_ts_usec":1605291690501383,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"aax-eu.amazon-adsystem.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01644{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9166,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605291690405354,"flow_src_last_pkt_time":1605291690502241,"flow_dst_last_pkt_time":1605291690502750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5440,"midstream":0,"thread_ts_usec":1605291690502750,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"aax-eu.amazon-adsystem.com","tls": {"version":"TLSv1.2","server_names":"aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Amazon, OU=Server CA 1B, CN=Amazon","subjectDN":"CN=aax-eu.amazon-adsystem.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B"}}} -01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690495032,"flow_dst_last_pkt_time":1605291690511816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":5622,"midstream":0,"thread_ts_usec":1605291690511816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":92004.9,"flow_max":2706048,"flow_stddev":469656.3,"c_to_s_min":7,"c_to_s_avg":165688.8,"c_to_s_max":2706048,"c_to_s_stddev":635204.0,"s_to_c_min":1,"s_to_c_avg":8496.4,"s_to_c_max":37185,"s_to_c_stddev":12466.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.5,"c_to_s_max":603,"c_to_s_stddev":132.2,"s_to_c_min":86,"s_to_c_avg":461.3,"s_to_c_max":1294,"s_to_c_stddev":471.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01386{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9193,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690527565,"flow_dst_last_pkt_time":1605291690527527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1054,"flow_dst_tot_l4_payload_len":6986,"midstream":0,"thread_ts_usec":1605291690527565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7456.9,"flow_max":34221,"flow_stddev":11371.8,"c_to_s_min":8,"c_to_s_avg":7331.6,"c_to_s_max":34221,"c_to_s_stddev":11161.5,"s_to_c_min":1,"s_to_c_avg":7608.9,"s_to_c_max":33241,"s_to_c_stddev":11620.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.5,"c_to_s_max":603,"c_to_s_stddev":140.8,"s_to_c_min":86,"s_to_c_avg":552.3,"s_to_c_max":1294,"s_to_c_stddev":496.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01374{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690495032,"flow_dst_last_pkt_time":1605291690511816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":5622,"midstream":0,"thread_ts_usec":1605291690511816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7680.9,"flow_max":45875,"flow_stddev":12464.9,"c_to_s_min":7,"c_to_s_avg":6916.4,"c_to_s_max":45875,"c_to_s_stddev":12415.1,"s_to_c_min":1,"s_to_c_avg":8496.4,"s_to_c_max":37185,"s_to_c_stddev":12466.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.5,"c_to_s_max":603,"c_to_s_stddev":132.2,"s_to_c_min":86,"s_to_c_avg":461.3,"s_to_c_max":1294,"s_to_c_stddev":471.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01386{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9193,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690527565,"flow_dst_last_pkt_time":1605291690527527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1054,"flow_dst_tot_l4_payload_len":6986,"midstream":0,"thread_ts_usec":1605291690527565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7102.9,"flow_max":34221,"flow_stddev":11390.5,"c_to_s_min":8,"c_to_s_avg":6660.2,"c_to_s_max":34221,"c_to_s_stddev":11166.9,"s_to_c_min":1,"s_to_c_avg":7608.9,"s_to_c_max":33241,"s_to_c_stddev":11620.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.5,"c_to_s_max":603,"c_to_s_stddev":140.8,"s_to_c_min":86,"s_to_c_avg":552.3,"s_to_c_max":1294,"s_to_c_stddev":496.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291690926655,"flow_dst_last_pkt_time":1605291690926655,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690926655,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690926655,"flow_dst_last_pkt_time":1605291690926655,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690926655,"pkt":"qtsDr8lk5EKm5WPyht1gDDgdACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICAAAAAAAACABttYBu\/eX0dQAAAAAoAL9IKwyAAACBAWgBAIIChrDFp8AAAAAAQMDBw=="} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9280,"source":"reddit.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690926734,"flow_src_last_pkt_time":1605291690926734,"flow_dst_last_pkt_time":1605291690926734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690926734,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46808,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -411,9 +411,9 @@ 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690926978,"flow_src_last_pkt_time":1605291690957682,"flow_dst_last_pkt_time":1605291691004686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291691004686,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"tpc.googlesyndication.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9475,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":2,"flow_src_last_pkt_time":1605291690992851,"flow_dst_last_pkt_time":1605291691029572,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291691029572,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQbO1037mLrsxooBJXgErvAAACBAV4AQMDAwQCCArC10wIuJU7dg=="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9476,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":3,"flow_src_last_pkt_time":1605291691029601,"flow_dst_last_pkt_time":1605291691029572,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":74,"pkt_l4_len":20,"thread_ts_usec":1605291691029601,"pkt":"qtsDr8lk5EKm5WPyht1gBfK\/ABQGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGwBu4uuzGgAAAAAUAQAANo6AAA="} -01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291691043702,"flow_dst_last_pkt_time":1605291691043566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1291,"flow_dst_tot_l4_payload_len":11382,"midstream":0,"thread_ts_usec":1605291691043702,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8572.9,"flow_max":42183,"flow_stddev":12883.5,"c_to_s_min":28,"c_to_s_avg":9923.3,"c_to_s_max":37586,"c_to_s_stddev":12566.6,"s_to_c_min":1,"s_to_c_avg":7306.9,"s_to_c_max":42183,"s_to_c_stddev":13047.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":172.6,"c_to_s_max":603,"c_to_s_stddev":150.9,"s_to_c_min":86,"s_to_c_avg":756.0,"s_to_c_max":1294,"s_to_c_stddev":562.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01388{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9585,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926912,"flow_src_last_pkt_time":1605291691067608,"flow_dst_last_pkt_time":1605291691069122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1326,"flow_dst_tot_l4_payload_len":6622,"midstream":0,"thread_ts_usec":1605291691069122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10160.2,"flow_max":45897,"flow_stddev":14603.9,"c_to_s_min":8,"c_to_s_avg":10797.2,"c_to_s_max":45897,"c_to_s_stddev":14051.7,"s_to_c_min":1,"s_to_c_avg":9480.7,"s_to_c_max":45409,"s_to_c_stddev":15141.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":169.4,"c_to_s_max":603,"c_to_s_stddev":150.7,"s_to_c_min":86,"s_to_c_avg":500.4,"s_to_c_max":1294,"s_to_c_stddev":489.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01384{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9629,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926867,"flow_src_last_pkt_time":1605291691075065,"flow_dst_last_pkt_time":1605291691075150,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":5335,"midstream":0,"thread_ts_usec":1605291691075150,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":10596.6,"flow_max":43801,"flow_stddev":13922.3,"c_to_s_min":10,"c_to_s_avg":11263.2,"c_to_s_max":43801,"c_to_s_stddev":13452.5,"s_to_c_min":1,"s_to_c_avg":9885.5,"s_to_c_max":43789,"s_to_c_stddev":14372.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.2,"c_to_s_max":603,"c_to_s_stddev":136.7,"s_to_c_min":86,"s_to_c_avg":419.9,"s_to_c_max":1294,"s_to_c_stddev":413.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291691043702,"flow_dst_last_pkt_time":1605291691043566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1291,"flow_dst_tot_l4_payload_len":11382,"midstream":0,"thread_ts_usec":1605291691043702,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":7798.6,"flow_max":42183,"flow_stddev":12366.5,"c_to_s_min":28,"c_to_s_avg":8360.5,"c_to_s_max":37586,"c_to_s_stddev":11513.7,"s_to_c_min":1,"s_to_c_avg":7306.9,"s_to_c_max":42183,"s_to_c_stddev":13047.4},"pktlen": {"c_to_s_min":86,"c_to_s_avg":172.6,"c_to_s_max":603,"c_to_s_stddev":150.9,"s_to_c_min":86,"s_to_c_avg":756.0,"s_to_c_max":1294,"s_to_c_stddev":562.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01386{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9585,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926912,"flow_src_last_pkt_time":1605291691067608,"flow_dst_last_pkt_time":1605291691069122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1326,"flow_dst_tot_l4_payload_len":6622,"midstream":0,"thread_ts_usec":1605291691069122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9430.2,"flow_max":45897,"flow_stddev":14278.1,"c_to_s_min":8,"c_to_s_avg":9379.7,"c_to_s_max":45897,"c_to_s_stddev":13359.1,"s_to_c_min":1,"s_to_c_avg":9480.7,"s_to_c_max":45409,"s_to_c_stddev":15141.3},"pktlen": {"c_to_s_min":86,"c_to_s_avg":169.4,"c_to_s_max":603,"c_to_s_stddev":150.7,"s_to_c_min":86,"s_to_c_avg":500.4,"s_to_c_max":1294,"s_to_c_stddev":489.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01382{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9629,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926867,"flow_src_last_pkt_time":1605291691075065,"flow_dst_last_pkt_time":1605291691075150,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":5335,"midstream":0,"thread_ts_usec":1605291691075150,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":9882.7,"flow_max":43801,"flow_stddev":13582.8,"c_to_s_min":10,"c_to_s_avg":9879.9,"c_to_s_max":43801,"c_to_s_stddev":12744.1,"s_to_c_min":1,"s_to_c_avg":9885.5,"s_to_c_max":43789,"s_to_c_stddev":14372.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":148.2,"c_to_s_max":603,"c_to_s_stddev":136.7,"s_to_c_min":86,"s_to_c_avg":419.9,"s_to_c_max":1294,"s_to_c_stddev":413.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291696948991,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696948991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291696948991,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696948991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291696948991,"pkt":"qtsDr8lk5EKm5WPyht1gDNdJACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAA006zst54Bu3jHKBQAAAAAoAL9IL45AAACBAWgBAIIClIhuaMAAAAAAQMDBw=="} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11227,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696965238,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291696965238,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAADTTrOwqAcsBIEmLB5kd7IUo3\/YpAbu3nh9OKxV4xygVoBJXgPOCAAACBAV4AQMDAwQCCArC12M3UiG5ow=="} diff --git a/test/results/rtsp.pcap.out b/test/results/rtsp.pcap.out index d027a1eb7..1f28769f0 100644 --- a/test/results/rtsp.pcap.out +++ b/test/results/rtsp.pcap.out @@ -10,39 +10,39 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1627567279015798,"flow_dst_last_pkt_time":1627567279015763,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567279015798,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRW5UAAgAaM0AoBAQoKAgICzPghaqHfszoAAAAAgAL68BmUAAACBAW0AQMDCAEBBAI="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1627567279015800,"flow_dst_last_pkt_time":1627567279015763,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567279015800,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRW5UAAfwaN0AoBAQoKAgICzPghaqHfszoAAAAAgAL68BmUAAACBAW0AQMDCAEBBAI="} 00975{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279029411,"flow_dst_last_pkt_time":1627567279016046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567279029411,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01444{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279050715,"flow_dst_last_pkt_time":1627567279050859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567279050859,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":49355.4,"flow_max":1509326,"flow_stddev":262282.2,"c_to_s_min":2,"c_to_s_avg":96517.4,"c_to_s_max":1509326,"c_to_s_stddev":364831.7,"s_to_c_min":2,"s_to_c_avg":2193.5,"s_to_c_max":20633,"s_to_c_stddev":5767.6},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01434{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279050715,"flow_dst_last_pkt_time":1627567279050859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567279050859,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":2259.6,"flow_max":21135,"flow_stddev":5876.1,"c_to_s_min":2,"c_to_s_avg":2330.1,"c_to_s_max":21135,"c_to_s_stddev":5988.9,"s_to_c_min":2,"s_to_c_avg":2193.5,"s_to_c_max":20633,"s_to_c_stddev":5767.6},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":109,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338841836,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567338841836,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1627567338841836,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841836,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXFEAAgAaMoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1627567338841847,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841847,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXFEAAgAaMoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1627567338841853,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841853,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXFEAAfwaNoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":121,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338851945,"flow_dst_last_pkt_time":1627567338842169,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567338851945,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01446{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338873699,"flow_dst_last_pkt_time":1627567338873793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567338873793,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":51828.4,"flow_max":1594689,"flow_stddev":277158.2,"c_to_s_min":4,"c_to_s_avg":101659.5,"c_to_s_max":1594689,"c_to_s_stddev":385536.7,"s_to_c_min":3,"s_to_c_avg":1997.3,"s_to_c_max":20464,"s_to_c_stddev":5343.5},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01435{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338873699,"flow_dst_last_pkt_time":1627567338873793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567338873793,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":2058.7,"flow_max":21234,"flow_stddev":5470.2,"c_to_s_min":4,"c_to_s_avg":2124.2,"c_to_s_max":21234,"c_to_s_stddev":5601.5,"s_to_c_min":3,"s_to_c_avg":1997.3,"s_to_c_max":20464,"s_to_c_stddev":5343.5},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":193,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398644402,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567398644402,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":193,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1627567398644402,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644402,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXQ0AAgAaMcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":194,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1627567398644413,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644413,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXQ0AAgAaMcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":195,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1627567398644419,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644419,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXQ0AAfwaNcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":205,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398650712,"flow_dst_last_pkt_time":1627567398644910,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567398650712,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":224,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398672191,"flow_dst_last_pkt_time":1627567398672567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567398672567,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":48569.8,"flow_max":1498281,"flow_stddev":260424.4,"c_to_s_min":3,"c_to_s_avg":95379.4,"c_to_s_max":1498281,"c_to_s_stddev":362263.3,"s_to_c_min":4,"s_to_c_avg":1760.3,"s_to_c_max":20136,"s_to_c_stddev":4970.7},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01435{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":224,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398672191,"flow_dst_last_pkt_time":1627567398672567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567398672567,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":1805.0,"flow_max":21000,"flow_stddev":5109.4,"c_to_s_min":3,"c_to_s_avg":1852.6,"c_to_s_max":21000,"c_to_s_stddev":5252.8,"s_to_c_min":4,"s_to_c_avg":1760.3,"s_to_c_max":20136,"s_to_c_stddev":4970.7},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406342871,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567406342871,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1627567406342871,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342871,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXW0AAgAaMWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":290,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1627567406342884,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342884,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXW0AAgAaMWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":291,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1627567406342896,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342896,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXW0AAfwaNWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="} 00977{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":309,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":8,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849577,"flow_dst_last_pkt_time":1627567406849152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567406849577,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849646,"flow_dst_last_pkt_time":1627567406870301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567406870301,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":33364.1,"flow_max":505214,"flow_stddev":121921.8,"c_to_s_min":3,"c_to_s_avg":33763.9,"c_to_s_max":505214,"c_to_s_stddev":121994.1,"s_to_c_min":2,"s_to_c_avg":32964.4,"s_to_c_max":504501,"s_to_c_stddev":121848.1},"pktlen": {"c_to_s_min":56,"c_to_s_avg":92.1,"c_to_s_max":172,"c_to_s_stddev":46.2,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849646,"flow_dst_last_pkt_time":1627567406870301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567406870301,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":33361.5,"flow_max":505214,"flow_stddev":123872.6,"c_to_s_min":3,"c_to_s_avg":33785.0,"c_to_s_max":505214,"c_to_s_stddev":125994.9,"s_to_c_min":2,"s_to_c_avg":32964.4,"s_to_c_max":504501,"s_to_c_stddev":121848.1},"pktlen": {"c_to_s_min":56,"c_to_s_avg":92.1,"c_to_s_max":172,"c_to_s_stddev":46.2,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01018{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":381,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":8,"flow_first_seen":1627567277506127,"flow_src_last_pkt_time":1627567277506259,"flow_dst_last_pkt_time":1627567277506605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":149,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":596,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1627567407043157,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52470,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":393,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466882987,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567466882987,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":393,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1627567466882987,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466882987,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXikAAgAaMKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":394,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1627567466883000,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466883000,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXikAAgAaMKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1627567466883010,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466883010,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXikAAfwaNKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":405,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466894186,"flow_dst_last_pkt_time":1627567466883471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567466894186,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":424,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466918846,"flow_dst_last_pkt_time":1627567466919056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567466919056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":49628.1,"flow_max":1516171,"flow_stddev":263461.8,"c_to_s_min":4,"c_to_s_avg":97001.9,"c_to_s_max":1516171,"c_to_s_stddev":366478.0,"s_to_c_min":1,"s_to_c_avg":2254.3,"s_to_c_max":20263,"s_to_c_stddev":5435.7},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01435{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":424,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466918846,"flow_dst_last_pkt_time":1627567466919056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567466919056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":2320.3,"flow_max":23771,"flow_stddev":5847.6,"c_to_s_min":4,"c_to_s_avg":2390.6,"c_to_s_max":23771,"c_to_s_stddev":6256.4,"s_to_c_min":1,"s_to_c_avg":2254.3,"s_to_c_max":20263,"s_to_c_stddev":5435.7},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":477,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":56,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567337246837,"flow_dst_last_pkt_time":1627567337247147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3772,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567467094146,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":485,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528106056,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567528106056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":485,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1627567528106056,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106056,"pkt":"AAMAAQAGAAwp8x5yLpgIAEUAADRXuEAAgAaL\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1627567528106069,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106069,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXuEAAgAaL\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":487,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1627567528106081,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106081,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXuEAAfwaM\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":497,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528113539,"flow_dst_last_pkt_time":1627567528106633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567528113539,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":516,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528134816,"flow_dst_last_pkt_time":1627567528135319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567528135319,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":48137.1,"flow_max":1482365,"flow_stddev":257645.7,"c_to_s_min":4,"c_to_s_avg":94445.3,"c_to_s_max":1482365,"c_to_s_stddev":358397.0,"s_to_c_min":5,"s_to_c_avg":1828.9,"s_to_c_max":20043,"s_to_c_stddev":5029.1},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +01435{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":516,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528134816,"flow_dst_last_pkt_time":1627567528135319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567528135319,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":1871.7,"flow_max":21029,"flow_stddev":5194.1,"c_to_s_min":4,"c_to_s_avg":1917.3,"c_to_s_max":21029,"c_to_s_stddev":5364.1,"s_to_c_min":5,"s_to_c_avg":1828.9,"s_to_c_max":20043,"s_to_c_stddev":5029.1},"pktlen": {"c_to_s_min":56,"c_to_s_avg":124.6,"c_to_s_max":198,"c_to_s_stddev":61.1,"s_to_c_min":56,"s_to_c_avg":92.5,"s_to_c_max":181,"s_to_c_stddev":51.2}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":44,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567397145857,"flow_dst_last_pkt_time":1627567397146153,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3772,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":52,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567406306458,"flow_dst_last_pkt_time":1627567406309520,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3176,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":60,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567465366594,"flow_dst_last_pkt_time":1627567465366846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":7540,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} @@ -62,5 +62,5 @@ ~~ total allocations/frees...: 122092/122092 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1451 chars -~~ json string avg len.......: 962 chars +~~ json string max len.......: 1450 chars +~~ json string avg len.......: 961 chars diff --git a/test/results/rx.pcap.out b/test/results/rx.pcap.out index abd42589b..11dfa51a3 100644 --- a/test/results/rx.pcap.out +++ b/test/results/rx.pcap.out @@ -25,7 +25,7 @@ 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1460647299986990,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":108,"pkt_l4_len":74,"thread_ts_usec":1460647300017623,"pkt":"AAjK968mPIqwbTfwCABFAABeUWIAADoRQO7Ap858g3LbqBtYG1kASjJ01w+zMFwiT7QAAAABAAAAAAAAAAECIgAAXV0AAQAAAAAAAAABAAAAAQAAAAAGAQEAAAAAAAWkAAAFpAAAABAAAAAB"} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1460647299986990,"flow_src_last_pkt_time":1460647299986990,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":66,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":66,"midstream":0,"thread_ts_usec":1460647300017623,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":7001,"dst_port":7000,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1460647300017672,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":107,"pkt_l4_len":73,"thread_ts_usec":1460647300017672,"pkt":"PIqwbTfwAAjK968mCABFAABd9xIAAEARlT6DctuowKfOfBtZG1gASacR1w+zMFwiT7QAAAABAAAAAAAAAAICIQAAAAAAAQAAAAAAAAABAAAAAAAAAAEHAAAAAAAAFjwAAAWkAAAAEAAAAAQ="} -01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":61,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647300147650,"flow_dst_last_pkt_time":1460647300150407,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":2528,"flow_dst_tot_l4_payload_len":1781,"midstream":0,"thread_ts_usec":1460647300150407,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":52,"flow_avg":28863.9,"flow_max":105287,"flow_stddev":33076.1,"c_to_s_min":52,"c_to_s_avg":28117.0,"c_to_s_max":103176,"c_to_s_stddev":32194.3,"s_to_c_min":277,"s_to_c_avg":29710.5,"s_to_c_max":105287,"s_to_c_stddev":34028.1},"pktlen": {"c_to_s_min":70,"c_to_s_avg":190.7,"c_to_s_max":510,"c_to_s_stddev":158.7,"s_to_c_min":74,"s_to_c_avg":160.7,"s_to_c_max":782,"s_to_c_stddev":172.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":61,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647300147650,"flow_dst_last_pkt_time":1460647300150407,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":2528,"flow_dst_tot_l4_payload_len":1781,"midstream":0,"thread_ts_usec":1460647300150407,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":52,"flow_avg":28663.1,"flow_max":105287,"flow_stddev":33586.2,"c_to_s_min":52,"c_to_s_avg":27681.2,"c_to_s_max":103176,"c_to_s_stddev":33136.4,"s_to_c_min":277,"s_to_c_avg":29710.5,"s_to_c_max":105287,"s_to_c_stddev":34028.1},"pktlen": {"c_to_s_min":70,"c_to_s_avg":190.7,"c_to_s_max":510,"c_to_s_stddev":158.7,"s_to_c_min":74,"s_to_c_avg":160.7,"s_to_c_max":782,"s_to_c_stddev":172.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1460647264018403,"flow_src_last_pkt_time":1460647264026325,"flow_dst_last_pkt_time":1460647264026287,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":292,"flow_dst_max_l4_payload_len":36,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":36,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":41559,"dst_port":7002,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1460647299986990,"flow_src_last_pkt_time":1460647320158051,"flow_dst_last_pkt_time":1460647300312692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":637,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":31,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647320158014,"flow_dst_last_pkt_time":1460647300329629,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":4792,"flow_dst_tot_l4_payload_len":4266,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} diff --git a/test/results/s7comm.pcap.out b/test/results/s7comm.pcap.out index 489a149cf..714468a48 100644 --- a/test/results/s7comm.pcap.out +++ b/test/results/s7comm.pcap.out @@ -5,7 +5,7 @@ 00861{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803880679,"flow_dst_last_pkt_time":1408528803880679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1408528803880679,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1408528803880679,"flow_dst_last_pkt_time":1408528803884414,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"thread_ts_usec":1408528803884414,"pkt":"kOa6hF5BABsbI+s7CABFAAA+AM4AAB4GGGrAqAEowKgBCgBmEFkAAvsQkETduFAYEAAGowAAAwAAFhHQAAcAAwDAAQrBAgEAwgIBAg=="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1408528803884562,"flow_dst_last_pkt_time":1408528803884414,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1408528803884562,"pkt":"ABsbI+s7kOa6hF5BCABFAABBLUxAAIAGAADAqAEKwKgBKBBZAGaQRN24AAL7JlAY+tqDtgAAAwAAGQLwgDIBAAACAAAIAADwAAABAAEB4A=="} -01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803957564,"flow_dst_last_pkt_time":1408528803957480,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":794,"midstream":1,"thread_ts_usec":1408528803957564,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":66,"flow_avg":89663920.0,"flow_max":2869091799,"flow_stddev":499200000.0,"c_to_s_min":66,"c_to_s_avg":136627072.0,"c_to_s_max":2869091799,"c_to_s_stddev":610997696.0,"s_to_c_min":3114,"s_to_c_avg":6981.9,"s_to_c_max":9013,"s_to_c_stddev":2148.4},"pktlen": {"c_to_s_min":61,"c_to_s_avg":72.9,"c_to_s_max":87,"c_to_s_stddev":11.6,"s_to_c_min":76,"s_to_c_avg":126.2,"s_to_c_max":275,"s_to_c_stddev":51.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01319{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803957564,"flow_dst_last_pkt_time":1408528803957480,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":794,"midstream":1,"thread_ts_usec":1408528803957564,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":66,"flow_avg":4957.6,"flow_max":9013,"flow_stddev":3321.6,"c_to_s_min":66,"c_to_s_avg":3844.2,"c_to_s_max":8819,"c_to_s_stddev":3327.1,"s_to_c_min":3114,"s_to_c_avg":6981.9,"s_to_c_max":9013,"s_to_c_stddev":2148.4},"pktlen": {"c_to_s_min":61,"c_to_s_avg":72.9,"c_to_s_max":87,"c_to_s_stddev":11.6,"s_to_c_min":76,"s_to_c_avg":126.2,"s_to_c_max":275,"s_to_c_stddev":51.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":55,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":36,"flow_dst_packets_processed":19,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528804003972,"flow_dst_last_pkt_time":1408528804016478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":247,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":1202,"flow_dst_tot_l4_payload_len":1088,"midstream":1,"thread_ts_usec":1408528804016478,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00558{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":55,"source":"s7comm.pcap","alias":"nDPId-test","packets-captured":55,"packets-processed":55,"total-skipped-flows":0,"total-l4-payload-len":2290,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1408528804016478} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1355 chars -~~ json string avg len.......: 883 chars +~~ json string max len.......: 1324 chars +~~ json string avg len.......: 869 chars diff --git a/test/results/safari.pcap.out b/test/results/safari.pcap.out index b0fe1d4da..0b2f5df77 100644 --- a/test/results/safari.pcap.out +++ b/test/results/safari.pcap.out @@ -17,7 +17,7 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1620898025217296,"flow_dst_last_pkt_time":1620898025217296,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898025217296,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtfkAbuNFQaeAAAAALAC\/\/8+CAAAAgQFtAEDAwUBAQgKMzDJ1AAAAAAEAgAA"} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":33,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025217638,"flow_dst_last_pkt_time":1620898025217638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620898025217638,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1620898025217638,"flow_dst_last_pkt_time":1620898025217638,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898025217638,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtflAbtmxM47AAAAALAC\/\/+cugAAAgQFtAEDAwUBAQgKMzDJ1AAAAAAEAgAA"} -01216{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":98085136.0,"flow_max":3136349750,"flow_stddev":545688448.0,"c_to_s_min":3,"c_to_s_avg":209169136.0,"c_to_s_max":3136349750,"c_to_s_stddev":782321920.0,"s_to_c_min":14,"s_to_c_avg":69842.9,"s_to_c_max":550635,"s_to_c_stddev":160243.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":137.9,"c_to_s_max":445,"c_to_s_stddev":131.4,"s_to_c_min":66,"s_to_c_avg":950.4,"s_to_c_max":1506,"s_to_c_stddev":676.2}}} +01195{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":76603.5,"flow_max":579033,"flow_stddev":166832.5,"c_to_s_min":3,"c_to_s_avg":84812.7,"c_to_s_max":579033,"c_to_s_stddev":174146.8,"s_to_c_min":14,"s_to_c_avg":69842.9,"s_to_c_max":550635,"s_to_c_stddev":160243.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":137.9,"c_to_s_max":445,"c_to_s_stddev":131.4,"s_to_c_min":66,"s_to_c_avg":950.4,"s_to_c_max":1506,"s_to_c_stddev":676.2}}} 01541{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","subjectDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}}} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1620898025216866,"flow_dst_last_pkt_time":1620898025246476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620898025246476,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71+Mw2y0GI1TJC6AS\/oiwoAAAAgQFrAQCCAo6Vq73MzDJ0wEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1620898025246531,"flow_dst_last_pkt_time":1620898025246476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620898025246531,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EtfjAbsjVMkLMNstB4AQECzNqAAAAQEICjMwyew6Vq73"} @@ -39,11 +39,11 @@ 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025249194,"flow_dst_last_pkt_time":1620898025279148,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025279148,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}} 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":74,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025249268,"flow_dst_last_pkt_time":1620898025281225,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025281225,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}} 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025252477,"flow_dst_last_pkt_time":1620898025284814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025284814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}} -01464{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216866,"flow_src_last_pkt_time":1620898025482937,"flow_dst_last_pkt_time":1620898025510399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1135,"flow_dst_tot_l4_payload_len":16958,"midstream":0,"thread_ts_usec":1620898025510399,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55267,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":31034.5,"flow_max":433501,"flow_stddev":77606.6,"c_to_s_min":247,"c_to_s_avg":49969.4,"c_to_s_max":433501,"c_to_s_stddev":108871.5,"s_to_c_min":2,"s_to_c_avg":16307.4,"s_to_c_max":118862,"s_to_c_stddev":31502.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.9,"c_to_s_max":508,"c_to_s_stddev":154.6,"s_to_c_min":66,"s_to_c_avg":1008.6,"s_to_c_max":1506,"s_to_c_stddev":658.0}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216193,"flow_src_last_pkt_time":1620898025515519,"flow_dst_last_pkt_time":1620898025515861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1102,"flow_dst_tot_l4_payload_len":16480,"midstream":0,"thread_ts_usec":1620898025515861,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":32244.4,"flow_max":432828,"flow_stddev":78925.9,"c_to_s_min":3,"c_to_s_avg":52296.7,"c_to_s_max":432828,"c_to_s_stddev":109053.3,"s_to_c_min":16,"s_to_c_avg":16648.2,"s_to_c_max":140358,"s_to_c_stddev":35616.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":145.6,"c_to_s_max":500,"c_to_s_stddev":149.2,"s_to_c_min":66,"s_to_c_avg":982.0,"s_to_c_max":1506,"s_to_c_stddev":665.6}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01463{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":260,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025519635,"flow_dst_last_pkt_time":1620898025519733,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16706,"midstream":0,"thread_ts_usec":1620898025519733,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":32484.1,"flow_max":433146,"flow_stddev":79236.3,"c_to_s_min":127,"c_to_s_avg":52590.7,"c_to_s_max":433146,"c_to_s_stddev":109242.5,"s_to_c_min":9,"s_to_c_avg":16845.7,"s_to_c_max":144002,"s_to_c_stddev":36340.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.6,"c_to_s_max":503,"c_to_s_stddev":153.7,"s_to_c_min":66,"s_to_c_avg":994.6,"s_to_c_max":1506,"s_to_c_stddev":659.8}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01463{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025521891,"flow_dst_last_pkt_time":1620898025521857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1125,"flow_dst_tot_l4_payload_len":16096,"midstream":0,"thread_ts_usec":1620898025521891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":32585.8,"flow_max":434273,"flow_stddev":79562.8,"c_to_s_min":244,"c_to_s_avg":52751.9,"c_to_s_max":434273,"c_to_s_stddev":109402.6,"s_to_c_min":3,"s_to_c_avg":16901.1,"s_to_c_max":147007,"s_to_c_stddev":37178.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.2,"c_to_s_max":500,"c_to_s_stddev":152.9,"s_to_c_min":66,"s_to_c_avg":960.7,"s_to_c_max":1506,"s_to_c_stddev":684.6}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025552151,"flow_dst_last_pkt_time":1620898025552116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1558,"flow_dst_tot_l4_payload_len":13367,"midstream":0,"thread_ts_usec":1620898025552151,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":34487.7,"flow_max":433931,"flow_stddev":79398.4,"c_to_s_min":2,"c_to_s_avg":51252.4,"c_to_s_max":433931,"c_to_s_stddev":106346.2,"s_to_c_min":14,"s_to_c_avg":19695.3,"s_to_c_max":146010,"s_to_c_stddev":37693.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":170.7,"c_to_s_max":503,"c_to_s_stddev":171.8,"s_to_c_min":66,"s_to_c_avg":852.8,"s_to_c_max":1506,"s_to_c_stddev":687.2}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216866,"flow_src_last_pkt_time":1620898025482937,"flow_dst_last_pkt_time":1620898025510399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1135,"flow_dst_tot_l4_payload_len":16958,"midstream":0,"thread_ts_usec":1620898025510399,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55267,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":18051.7,"flow_max":118862,"flow_stddev":28694.5,"c_to_s_min":247,"c_to_s_avg":20467.0,"c_to_s_max":84464,"c_to_s_stddev":24068.1,"s_to_c_min":2,"s_to_c_avg":16307.4,"s_to_c_max":118862,"s_to_c_stddev":31502.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.9,"c_to_s_max":508,"c_to_s_stddev":154.6,"s_to_c_min":66,"s_to_c_avg":1008.6,"s_to_c_max":1506,"s_to_c_stddev":658.0}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01461{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216193,"flow_src_last_pkt_time":1620898025515519,"flow_dst_last_pkt_time":1620898025515861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1102,"flow_dst_tot_l4_payload_len":16480,"midstream":0,"thread_ts_usec":1620898025515861,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":19322.4,"flow_max":140358,"flow_stddev":32968.3,"c_to_s_min":3,"c_to_s_avg":23025.1,"c_to_s_max":103964,"c_to_s_stddev":28492.9,"s_to_c_min":16,"s_to_c_avg":16648.2,"s_to_c_max":140358,"s_to_c_stddev":35616.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":145.6,"c_to_s_max":500,"c_to_s_stddev":149.2,"s_to_c_min":66,"s_to_c_avg":982.0,"s_to_c_max":1506,"s_to_c_stddev":665.6}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":260,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025519635,"flow_dst_last_pkt_time":1620898025519733,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16706,"midstream":0,"thread_ts_usec":1620898025519733,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":19559.5,"flow_max":144002,"flow_stddev":33697.1,"c_to_s_min":127,"c_to_s_avg":23317.2,"c_to_s_max":106790,"c_to_s_stddev":29236.8,"s_to_c_min":9,"s_to_c_avg":16845.7,"s_to_c_max":144002,"s_to_c_stddev":36340.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.6,"c_to_s_max":503,"c_to_s_stddev":153.7,"s_to_c_min":66,"s_to_c_avg":994.6,"s_to_c_max":1506,"s_to_c_stddev":659.8}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01462{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025521891,"flow_dst_last_pkt_time":1620898025521857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1125,"flow_dst_tot_l4_payload_len":16096,"midstream":0,"thread_ts_usec":1620898025521891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":19628.1,"flow_max":147007,"flow_stddev":34082.4,"c_to_s_min":244,"c_to_s_avg":23404.1,"c_to_s_max":105414,"c_to_s_stddev":28836.2,"s_to_c_min":3,"s_to_c_avg":16901.1,"s_to_c_max":147007,"s_to_c_stddev":37178.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.2,"c_to_s_max":500,"c_to_s_stddev":152.9,"s_to_c_min":66,"s_to_c_avg":960.7,"s_to_c_max":1506,"s_to_c_stddev":684.6}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01461{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025552151,"flow_dst_last_pkt_time":1620898025552116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1558,"flow_dst_tot_l4_payload_len":13367,"midstream":0,"thread_ts_usec":1620898025552151,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":21602.4,"flow_max":146010,"flow_stddev":34561.6,"c_to_s_min":2,"c_to_s_avg":23918.2,"c_to_s_max":116212,"c_to_s_stddev":30165.6,"s_to_c_min":14,"s_to_c_avg":19695.3,"s_to_c_max":146010,"s_to_c_stddev":37693.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":170.7,"c_to_s_max":503,"c_to_s_stddev":171.8,"s_to_c_min":66,"s_to_c_avg":852.8,"s_to_c_max":1506,"s_to_c_stddev":687.2}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620898027036438,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027036438,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620898027036438,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027036438,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898027036438,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Etf1AbvGGXtuAAAAALAC\/\/+JoQAAAgQFtAEDAwUBAQgKMzDQVQAAAAAEAgAA"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5393,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027065042,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620898027065042,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71\/XZbafoxhl7b6AS\/ogqVAAAAgQFrAQCCAo6VrYRMzDQVQEDAwc="} diff --git a/test/results/signal.pcap.out b/test/results/signal.pcap.out index e4a6172a1..92f433eca 100644 --- a/test/results/signal.pcap.out +++ b/test/results/signal.pcap.out @@ -34,7 +34,7 @@ 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"signal.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051247603797,"flow_src_last_pkt_time":1569051247716407,"flow_dst_last_pkt_time":1569051247714648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051247716407,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57021,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1569051247716684,"flow_dst_last_pkt_time":1569051247714775,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569051247716684,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGZHzAqAIRIuHwrd68AbvGwW2ECR79gIAQBAtLWAAAAQEICihVUl9kFVbr"} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051247601573,"flow_src_last_pkt_time":1569051247716836,"flow_dst_last_pkt_time":1569051247714775,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051247716836,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01362{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"signal.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569051247599529,"flow_src_last_pkt_time":1569051247791544,"flow_dst_last_pkt_time":1569051247792234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":10648,"midstream":0,"thread_ts_usec":1569051247792234,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":28453356.0,"flow_max":910122649,"flow_stddev":158352480.0,"c_to_s_min":18,"c_to_s_avg":56894668.0,"c_to_s_max":910122649,"c_to_s_stddev":220302512.0,"s_to_c_min":7,"s_to_c_avg":12044.1,"s_to_c_max":52274,"s_to_c_stddev":20251.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":122.6,"c_to_s_max":583,"c_to_s_stddev":124.7,"s_to_c_min":66,"s_to_c_avg":732.0,"s_to_c_max":1506,"s_to_c_stddev":587.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} +01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"signal.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569051247599529,"flow_src_last_pkt_time":1569051247791544,"flow_dst_last_pkt_time":1569051247792234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":10648,"midstream":0,"thread_ts_usec":1569051247792234,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":12410.3,"flow_max":52274,"flow_stddev":19984.8,"c_to_s_min":18,"c_to_s_avg":12801.0,"c_to_s_max":47796,"c_to_s_stddev":19689.0,"s_to_c_min":7,"s_to_c_avg":12044.1,"s_to_c_max":52274,"s_to_c_stddev":20251.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":122.6,"c_to_s_max":583,"c_to_s_stddev":124.7,"s_to_c_min":66,"s_to_c_avg":732.0,"s_to_c_max":1506,"s_to_c_stddev":587.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} 01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051247594090,"flow_src_last_pkt_time":1569051247706645,"flow_dst_last_pkt_time":1569051247818667,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051247818667,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01734{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":60,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051247594090,"flow_src_last_pkt_time":1569051247706645,"flow_dst_last_pkt_time":1569051247818679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":2469,"midstream":0,"thread_ts_usec":1569051247818679,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}} 01170{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"signal.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051247600467,"flow_src_last_pkt_time":1569051247711181,"flow_dst_last_pkt_time":1569051247822394,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051247822394,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} @@ -89,7 +89,7 @@ 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"signal.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264091926,"flow_src_last_pkt_time":1569051264259470,"flow_dst_last_pkt_time":1569051264203333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264259470,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57024,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1569051264259507,"flow_dst_last_pkt_time":1569051264203483,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569051264259507,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGUTrAqAIRI6kDKN7BAbuYIIuNFdnORoAQBAtBKQAAAQEICihVkvxkFUBN"} 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":203,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264093006,"flow_src_last_pkt_time":1569051264259677,"flow_dst_last_pkt_time":1569051264203483,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264259677,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569051264078385,"flow_src_last_pkt_time":1569051264310199,"flow_dst_last_pkt_time":1569051264310869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":862,"flow_dst_tot_l4_payload_len":11255,"midstream":0,"thread_ts_usec":1569051264310869,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":352817.6,"flow_max":10825866,"flow_stddev":1881175.9,"c_to_s_min":59,"c_to_s_avg":737178.7,"c_to_s_max":10825866,"c_to_s_stddev":2696443.8,"s_to_c_min":7,"s_to_c_avg":13675.5,"s_to_c_max":83343,"s_to_c_stddev":22883.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":125.1,"c_to_s_max":583,"c_to_s_stddev":128.2,"s_to_c_min":66,"s_to_c_avg":728.5,"s_to_c_max":1506,"s_to_c_stddev":569.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569051264078385,"flow_src_last_pkt_time":1569051264310199,"flow_dst_last_pkt_time":1569051264310869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":862,"flow_dst_tot_l4_payload_len":11255,"midstream":0,"thread_ts_usec":1569051264310869,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":14977.4,"flow_max":100663,"flow_stddev":25001.2,"c_to_s_min":59,"c_to_s_avg":16558.1,"c_to_s_max":100663,"c_to_s_stddev":27270.2,"s_to_c_min":7,"s_to_c_avg":13675.5,"s_to_c_max":83343,"s_to_c_stddev":22883.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":125.1,"c_to_s_max":583,"c_to_s_stddev":128.2,"s_to_c_min":66,"s_to_c_avg":728.5,"s_to_c_max":1506,"s_to_c_stddev":569.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} 01240{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":228,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264073974,"flow_src_last_pkt_time":1569051264229464,"flow_dst_last_pkt_time":1569051264342899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264342899,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01733{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":229,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051264073974,"flow_src_last_pkt_time":1569051264229464,"flow_dst_last_pkt_time":1569051264343005,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":2469,"midstream":0,"thread_ts_usec":1569051264343005,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}} 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":233,"source":"signal.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264090815,"flow_src_last_pkt_time":1569051264259325,"flow_dst_last_pkt_time":1569051264369936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264369936,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57023,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} @@ -105,7 +105,7 @@ 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":321,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264775024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264776825,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":323,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264887563,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264887563,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01677{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":324,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264887591,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2478,"midstream":0,"thread_ts_usec":1569051264887591,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}} -01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":350,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051265118031,"flow_dst_last_pkt_time":1569051265227415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":12293,"flow_dst_tot_l4_payload_len":2636,"midstream":0,"thread_ts_usec":1569051265227415,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":31709.3,"flow_max":114919,"flow_stddev":49419.5,"c_to_s_min":11,"c_to_s_avg":22668.3,"c_to_s_max":112445,"c_to_s_stddev":43818.2,"s_to_c_min":23,"s_to_c_avg":46777.8,"s_to_c_max":114919,"s_to_c_stddev":54308.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":681.2,"c_to_s_max":1506,"c_to_s_stddev":632.9,"s_to_c_min":66,"s_to_c_avg":286.3,"s_to_c_max":1506,"s_to_c_stddev":463.4}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01457{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":350,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051265118031,"flow_dst_last_pkt_time":1569051265227415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":12293,"flow_dst_tot_l4_payload_len":2636,"midstream":0,"thread_ts_usec":1569051265227415,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":32686.5,"flow_max":114919,"flow_stddev":49905.0,"c_to_s_min":11,"c_to_s_avg":23786.8,"c_to_s_max":112445,"c_to_s_stddev":44677.3,"s_to_c_min":23,"s_to_c_avg":46777.8,"s_to_c_max":114919,"s_to_c_stddev":54308.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":681.2,"c_to_s_max":1506,"c_to_s_stddev":632.9,"s_to_c_min":66,"s_to_c_avg":286.3,"s_to_c_max":1506,"s_to_c_stddev":463.4}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051266396342,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051266396342,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1569051266396342,"pkt":"xGGLNYKpxiwDYGpkCABFAABMyV0AADQGy0wXORgQwKgCEQG73rjhiC89LB07wYAYAQKY+AAAAQEICpZOcwIoVP9fFwMDABNN53WS+HQ+OdIkNGbGHI++PaTs"} 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051266396342,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051266396342,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -118,7 +118,7 @@ 01087{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":376,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267154562,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267161538,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":378,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197332,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051267197332,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01590{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":379,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2383,"midstream":0,"thread_ts_usec":1569051267197345,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}} -01196{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":15836.9,"flow_max":136327,"flow_stddev":26788.4,"c_to_s_min":19,"c_to_s_avg":15549.7,"c_to_s_max":136327,"c_to_s_stddev":30875.5,"s_to_c_min":13,"s_to_c_avg":16315.7,"s_to_c_max":43365,"s_to_c_stddev":18012.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":652.4,"c_to_s_max":1506,"c_to_s_stddev":646.1,"s_to_c_min":66,"s_to_c_avg":278.4,"s_to_c_max":1506,"s_to_c_stddev":450.0}}} +01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":13,"flow_avg":11950.2,"flow_max":43365,"flow_stddev":16041.8,"c_to_s_min":19,"c_to_s_avg":9193.0,"c_to_s_max":39763,"c_to_s_stddev":13975.5,"s_to_c_min":13,"s_to_c_avg":16315.7,"s_to_c_max":43365,"s_to_c_stddev":18012.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":652.4,"c_to_s_max":1506,"c_to_s_stddev":646.1,"s_to_c_min":66,"s_to_c_avg":278.4,"s_to_c_max":1506,"s_to_c_stddev":450.0}}} 01595{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}} 00897{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1569051245838268,"flow_src_last_pkt_time":1569051261595218,"flow_dst_last_pkt_time":1569051245838268,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00898{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1569051255515841,"flow_src_last_pkt_time":1569051255541412,"flow_dst_last_pkt_time":1569051255539776,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} diff --git a/test/results/simple-dnscrypt.pcap.out b/test/results/simple-dnscrypt.pcap.out index 9c85714ee..9ae1fd120 100644 --- a/test/results/simple-dnscrypt.pcap.out +++ b/test/results/simple-dnscrypt.pcap.out @@ -7,7 +7,7 @@ 01047{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284666208,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813284694670,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284804255,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813284804255,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01465{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":7,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284809547,"flow_dst_last_pkt_time":1491813284819906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813284819906,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} -01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":117426616.0,"flow_max":3638929975,"flow_stddev":642935616.0,"c_to_s_min":54,"c_to_s_avg":242634832.0,"c_to_s_max":3638929975,"c_to_s_stddev":907698048.0,"s_to_c_min":1,"s_to_c_avg":43901.0,"s_to_c_max":221977,"s_to_c_stddev":60074.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":108.4,"c_to_s_max":272,"c_to_s_stddev":70.7,"s_to_c_min":54,"s_to_c_avg":652.5,"s_to_c_max":1364,"s_to_c_stddev":599.9}}} +01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":43169.3,"flow_max":221977,"flow_stddev":52652.2,"c_to_s_min":54,"c_to_s_avg":42333.0,"c_to_s_max":114877,"c_to_s_stddev":42599.3,"s_to_c_min":1,"s_to_c_avg":43901.0,"s_to_c_max":221977,"s_to_c_stddev":60074.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":108.4,"c_to_s_max":272,"c_to_s_stddev":70.7,"s_to_c_min":54,"s_to_c_avg":652.5,"s_to_c_max":1364,"s_to_c_stddev":599.9}}} 01468{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813286275625,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491813286275625,"pkt":"uFpz9d6dpDTZFrEGCABFAAA0PSdAAIAGML7AqCunhncaGMRNAbtYb9jbAAAAAIACIADK3QAAAgQFtAEDAwgBAQQC"} @@ -30,7 +30,7 @@ 01473{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286592939,"flow_dst_last_pkt_time":1491813286594033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286594033,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 01134{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":81,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286491438,"flow_dst_last_pkt_time":1491813286609961,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813286609961,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01473{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":87,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286612199,"flow_dst_last_pkt_time":1491813286612925,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286612925,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} -01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":61910.6,"flow_max":1133596,"flow_stddev":198877.3,"c_to_s_min":49,"c_to_s_avg":95402.8,"c_to_s_max":1133596,"c_to_s_stddev":270685.4,"s_to_c_min":1,"s_to_c_avg":26185.6,"s_to_c_max":84732,"s_to_c_stddev":33363.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":114.9,"c_to_s_max":334,"c_to_s_stddev":79.3,"s_to_c_min":54,"s_to_c_avg":551.2,"s_to_c_max":1364,"s_to_c_stddev":561.9}}} +01200{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":26187.7,"flow_max":105611,"flow_stddev":36205.4,"c_to_s_min":49,"c_to_s_avg":26189.9,"c_to_s_max":105611,"c_to_s_stddev":38839.5,"s_to_c_min":1,"s_to_c_avg":26185.6,"s_to_c_max":84732,"s_to_c_stddev":33363.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":114.9,"c_to_s_max":334,"c_to_s_stddev":79.3,"s_to_c_min":54,"s_to_c_avg":551.2,"s_to_c_max":1364,"s_to_c_stddev":561.9}}} 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 00928{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":21,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285262104,"flow_dst_last_pkt_time":1491813285262021,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":13434,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00776{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":10,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286718876,"flow_dst_last_pkt_time":1491813286718848,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":7183,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/sip.pcap.out b/test/results/sip.pcap.out index fbd118447..2d74f7780 100644 --- a/test/results/sip.pcap.out +++ b/test/results/sip.pcap.out @@ -14,7 +14,7 @@ 01586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1120470050699023,"flow_dst_last_pkt_time":1120470049188993,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":864,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":864,"pkt_l4_len":830,"thread_ts_usec":1120470050699023,"pkt":"ADBUADRWAODtAW69CABFAANSanIAAIARyujAqAECyER4URPEE8QDPvKbSU5WSVRFIHNpcDo5NzIzOTI4NzA0NEB2b2lwLmJydWp1bGEubmV0IFNJUC8yLjANClZpYTogU0lQLzIuMC9VRFAgMTkyLjE2OC4xLjI6NTA2MDticmFuY2g9ejloRzRiS25wMTA0OTg0MDUzLTQ0Y2U0YTQxMTkyLjE2OC4xLjI7cnBvcnQNCkZyb206ICJhcmlrIiA8c2lwOjgxNjY2NkB2b2lwLmJydXJqdWxhLm5ldD47dGFnPTY0MzNlZjkNClRvOiA8c2lwOjk3MjM5Mjg3MDQ0QHZvaXAuYnJ1anVsYS5uZXQ+DQpDYWxsLUlEOiAxMDUwOTAyNTktNDQ2ZmFmN2FAMTkyLjE2OC4xLjINCkNTZXE6IDEgSU5WSVRFDQpVc2VyLUFnZW50OiBOZXJvIFNJUFBTIElQIFBob25lIFZlcnNpb24gMi4wLjUxLjE2DQpFeHBpcmVzOiAxMjANCkFjY2VwdDogYXBwbGljYXRpb24vc2RwDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3NkcA0KQ29udGVudC1MZW5ndGg6IDI3Mg0KQ29udGFjdDogPHNpcDo4MTY2NjZAMTkyLjE2OC4xLjI+DQpNYXgtRm9yd2FyZHM6IDcwDQpBbGxvdzogSU5WSVRFLCBBQ0ssIENBTkNFTCwgQllFLCBSRUZFUiwgT1BUSU9OUywgTk9USUZZLCBJTkZPDQoNCnY9MA0Kbz1TSVBQUyAxMDUwMTUxNjUgMTA1MDE1MTYyIElOIElQNCAxOTIuMTY4LjEuMg0Kcz1TSVAgY2FsbA0KYz1JTiBJUDQgMTkyLjE2OC4xLjINCnQ9MCAwDQptPWF1ZGlvIDMwMDAwIFJUUC9BVlAgMCA4IDk3IDIgMw0KYT1ydHBtYXA6MCBwY211LzgwMDANCmE9cnRwbWFwOjggcGNtYS84MDAwDQphPXJ0cG1hcDo5NyBpTEJDLzgwMDANCmE9cnRwbWFwOjIgRzcyNi0zMi84MDAwDQphPXJ0cG1hcDozIEdTTS84MDAwDQphPWZtdHA6OTcgbW9kZT0yMA0KYT1zZW5kcmVjdg0K"} 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":44,"source":"sip.pcap","alias":"nDPId-test","packets-captured":44,"packets-processed":43,"total-skipped-flows":0,"total-l4-payload-len":17733,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":2,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1120470187658020} 00903{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":46,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":10,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470216689496,"flow_dst_last_pkt_time":1120469956406918,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":491,"flow_src_tot_l4_payload_len":4633,"flow_dst_tot_l4_payload_len":4354,"midstream":0,"thread_ts_usec":1120470216689496,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":50,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470235521078,"flow_dst_last_pkt_time":1120470235448732,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":825,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":7448,"flow_dst_tot_l4_payload_len":4947,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25935,"flow_avg":128903504.0,"flow_max":2799630793,"flow_stddev":483047104.0,"c_to_s_min":227102,"c_to_s_avg":164871792.0,"c_to_s_max":2799630793,"c_to_s_stddev":590093568.0,"s_to_c_min":25935,"s_to_c_avg":60236772.0,"s_to_c_max":279041814,"s_to_c_stddev":82709984.0},"pktlen": {"c_to_s_min":47,"c_to_s_avg":396.7,"c_to_s_max":867,"c_to_s_stddev":326.5,"s_to_c_min":348,"s_to_c_avg":491.7,"s_to_c_max":635,"s_to_c_stddev":86.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01364{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":50,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470235521078,"flow_dst_last_pkt_time":1120470235448732,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":825,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":7448,"flow_dst_tot_l4_payload_len":4947,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25935,"flow_avg":42751008.0,"flow_max":279041814,"flow_stddev":57873684.0,"c_to_s_min":227102,"c_to_s_avg":33133840.0,"c_to_s_max":150200040,"c_to_s_stddev":34181012.0,"s_to_c_min":25935,"s_to_c_avg":60236772.0,"s_to_c_max":279041814,"s_to_c_stddev":82709984.0},"pktlen": {"c_to_s_min":47,"c_to_s_avg":396.7,"c_to_s_max":867,"c_to_s_stddev":326.5,"s_to_c_min":348,"s_to_c_avg":491.7,"s_to_c_max":635,"s_to_c_stddev":86.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":51,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00902{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":57,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470315341351,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":60,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":12,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470402627133,"flow_dst_last_pkt_time":1120470268128176,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1076,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":8889,"flow_dst_tot_l4_payload_len":5392,"midstream":0,"thread_ts_usec":1120470402627133,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} diff --git a/test/results/sites.pcapng.out b/test/results/sites.pcapng.out index a657e0e4f..5712cbada 100644 --- a/test/results/sites.pcapng.out +++ b/test/results/sites.pcapng.out @@ -30,7 +30,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1623223596002274,"flow_dst_last_pkt_time":1623223595999034,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623223596002274,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0ZBlAAEAGCezAqAGAW8au0MW8AbvaIBcIazbbIYAQAfbJTQAAAQEICrzqTwcXn7ww"} 01099{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":70,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223595999034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623223596004515,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.2","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01144{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":72,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223596052201,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1623223596052201,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01222{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":199,"flow_avg":87304800.0,"flow_max":1483867720,"flow_stddev":349140736.0,"c_to_s_min":235,"c_to_s_avg":164891664.0,"c_to_s_max":1483867720,"c_to_s_stddev":466328448.0,"s_to_c_min":199,"s_to_c_avg":19592.2,"s_to_c_max":52937,"s_to_c_stddev":24201.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":140.6,"c_to_s_max":583,"c_to_s_stddev":142.0,"s_to_c_min":66,"s_to_c_avg":981.9,"s_to_c_max":1514,"s_to_c_stddev":646.1}}} +01197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":199,"flow_avg":19621.6,"flow_max":52937,"flow_stddev":23899.2,"c_to_s_min":235,"c_to_s_avg":19651.0,"c_to_s_max":52220,"c_to_s_stddev":23593.4,"s_to_c_min":199,"s_to_c_avg":19592.2,"s_to_c_max":52937,"s_to_c_stddev":24201.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":140.6,"c_to_s_max":583,"c_to_s_stddev":142.0,"s_to_c_min":66,"s_to_c_avg":981.9,"s_to_c_max":1514,"s_to_c_stddev":646.1}}} 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":107,"source":"sites.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":17,"flow_first_seen":1623222051753416,"flow_src_last_pkt_time":1623222112086485,"flow_dst_last_pkt_time":1623222112185361,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2226,"flow_dst_tot_l4_payload_len":6554,"midstream":0,"thread_ts_usec":1623223596203292,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"52.73.71.226","src_port":50071,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":119,"source":"sites.pcapng","alias":"nDPId-test","packets-captured":119,"packets-processed":118,"total-skipped-flows":0,"total-l4-payload-len":35609,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":4,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1623226283573712} @@ -39,7 +39,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1623226283573712,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623226283601626,"pkt":"AoEfHBPlpJGxgjQ5CABFAAA0AABAADMGZpwtUvEzwKgB+gBQm9LNImc9F4Arv4ASchAIQAAAAgQFeAEBBAIBAwMK"} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1623226283602794,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1623226283602794,"pkt":"pJGxgjQ5AoEfHBPlCABFAAAoM5VAAEAGJhPAqAH6LVLxM5vSAFAXgCu\/zSJnPlAQAKy6PQAAAAAAAAAA"} 01048{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":122,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226283612303,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":190,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226283612303,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"videosnap.like.video","http": {"url":"videosnap.like.video\/eu_live\/5uz\/1YOmxT.webp?type=8&resize=1&dw=360","code":0,"content_type":"","user_agent":"Like-Android"}}} -01374{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":249,"flow_avg":148192896.0,"flow_max":2517071338,"flow_stddev":592219648.0,"c_to_s_min":304,"c_to_s_avg":228925088.0,"c_to_s_max":2517071338,"c_to_s_stddev":723575488.0,"s_to_c_min":249,"s_to_c_avg":183906.2,"s_to_c_max":1031142,"s_to_c_stddev":379177.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":82.5,"c_to_s_max":244,"c_to_s_stddev":59.1,"s_to_c_min":60,"s_to_c_avg":1312.7,"s_to_c_max":1514,"s_to_c_stddev":491.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":249,"flow_avg":138004.6,"flow_max":1031142,"flow_stddev":327437.1,"c_to_s_min":304,"c_to_s_avg":110463.6,"c_to_s_max":974261,"c_to_s_stddev":288541.6,"s_to_c_min":249,"s_to_c_avg":183906.2,"s_to_c_max":1031142,"s_to_c_stddev":379177.2},"pktlen": {"c_to_s_min":60,"c_to_s_avg":82.5,"c_to_s_max":244,"c_to_s_stddev":59.1,"s_to_c_min":60,"s_to_c_avg":1312.7,"s_to_c_max":1514,"s_to_c_stddev":491.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":229,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":24,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223766553269,"flow_dst_last_pkt_time":1623223766548680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1177,"flow_dst_tot_l4_payload_len":16557,"midstream":0,"thread_ts_usec":1623226286427901,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":231,"source":"sites.pcapng","alias":"nDPId-test","packets-captured":231,"packets-processed":230,"total-skipped-flows":0,"total-l4-payload-len":108050,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":44,"global_ts_usec":1631088115362469} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":231,"source":"sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088115362469,"flow_dst_last_pkt_time":1631088115362469,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631088115362469,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/skinny.pcap.out b/test/results/skinny.pcap.out index d6ab92ce5..e5b360d8a 100644 --- a/test/results/skinny.pcap.out +++ b/test/results/skinny.pcap.out @@ -10,7 +10,7 @@ 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801130506133,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801130506133,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1317801130506148,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1317801130506148,"pkt":"AB1FDGVjABTy5fxCCABFYABE5ZNAAD8GUDDAqMEMwKjDMgfQyUyJcg5JId4l61AYLGoX3AAAFAAAABQAAAAQAQAAAQAAAEs2LgEDAAAA\/\/\/\/\/w=="} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1317801130506205,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1317801130506205,"pkt":"AB1FDGVjABTy5fxCCABFYABI5ZVAAD8GUCrAqMEMwKjDMgfQyUyJcg5lId4l61AYLGr9cQAAGAAAABQAAABFAQAAAAAAAAEAAABLNi4BgBczMjEAAAA="} -01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":60,"source":"skinny.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1317801130501299,"flow_src_last_pkt_time":1317801134312976,"flow_dst_last_pkt_time":1317801134286303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":52,"flow_dst_max_l4_payload_len":324,"flow_src_tot_l4_payload_len":248,"flow_dst_tot_l4_payload_len":1620,"midstream":1,"thread_ts_usec":1317801134312976,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.12","src_port":49399,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14,"flow_avg":65389680.0,"flow_max":2084873123,"flow_stddev":362710944.0,"c_to_s_min":5962,"c_to_s_avg":160668064.0,"c_to_s_max":2084873123,"c_to_s_stddev":555470976.0,"s_to_c_min":14,"s_to_c_avg":199210.7,"s_to_c_max":3559643,"s_to_c_stddev":792236.6},"pktlen": {"c_to_s_min":60,"c_to_s_avg":76.3,"c_to_s_max":106,"c_to_s_stddev":20.0,"s_to_c_min":60,"s_to_c_avg":140.2,"s_to_c_max":378,"s_to_c_stddev":85.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01350{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":60,"source":"skinny.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1317801130501299,"flow_src_last_pkt_time":1317801134312976,"flow_dst_last_pkt_time":1317801134286303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":52,"flow_dst_max_l4_payload_len":324,"flow_src_tot_l4_payload_len":248,"flow_dst_tot_l4_payload_len":1620,"midstream":1,"thread_ts_usec":1317801134312976,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.12","src_port":49399,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14,"flow_avg":245054.2,"flow_max":3609828,"flow_stddev":877176.1,"c_to_s_min":5962,"c_to_s_avg":317639.8,"c_to_s_max":3609828,"c_to_s_stddev":992651.1,"s_to_c_min":14,"s_to_c_avg":199210.7,"s_to_c_max":3559643,"s_to_c_stddev":792236.6},"pktlen": {"c_to_s_min":60,"c_to_s_avg":76.3,"c_to_s_max":106,"c_to_s_stddev":20.0,"s_to_c_min":60,"s_to_c_avg":140.2,"s_to_c_max":378,"s_to_c_stddev":85.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134322539,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134322539,"pkt":"ABTy5fxCAB56JnR1CABFuADIE4MAAEARYEbAqMM6wKjBGH2WJLMAtK8pgIAFmwAC4MD2v1fi\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/39+\/v18ffz+\/f9+\/n17eXh6e357fv1+\/v59\/fx9fX16e379+vv7+359fnv\/\/X3+\/35\/e3v+\/H7\/fnv+fXz9\/v7+fX18fHx7fHt+f3\/\/fv3+f\/7+\/v79\/\/5\/eXt8fX9+f\/\/\/\/39+f3x5e3x6eX1+fv5+f\/78\/P78\/nz+fn5+fA=="} 00863{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134322539,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} @@ -36,16 +36,16 @@ 00745{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1317801134389369,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134389369,"pkt":"ABTy5fxCAB56JnR1CABFuADIE40AAEARYDzAqMM6wKjBGH2YJLQAtJABgAAFlgAFiLgeBjsifHt9f319fPv+\/v54f\/7\/e3l9e\/79f3p7fn18e316ff5+\/X58fv1\/\/v9+f3p+f31\/fv3+f31+\/np6fnx8fnz9\/P\/8fv37ff3\/fH7+\/3v\/f318f\/t8fP19fH19\/fl\/ev39+fx9d3Fw+NlhW8pMTLpRPsLeSefcWnbk8lz61FL72VV96Wtf6+1j6G777m\/scn\/3eX7+cXDubGz2fnF77nN2\/A=="} 00749{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1317801134403859,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134403859,"pkt":"ABTy5fxCAB1FDGVjCABFuADIE+4AAEARX+PAqMMywKjBGEVEJLgAtCDKgAAGQAAC40B8EHHz+vv9\/f7+\/nx6eXh7ff\/9\/fb4+vj5+f5+fHh8eHd5en5++\/39\/Xt\/enl7eH54efr+\/Pp9f3p5fHV4enp\/\/Pj59vn+9vb8fHl6d3t5ev5\/\/P768\/n5+f7+fHV1dnR6fXd8\/31\/eHr+eX39d3n4\/f73+Pz8\/3t7e3p2dn59fPv5+\/v4\/X\/8fH18e39+fv78\/fv59\/b7\/nx7fXh3d3p\/fHt9fg=="} 00752{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1317801134423839,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134423839,"pkt":"ABTy5fxCAB1FDGVjCABFuADIE\/EAAEARX+DAqMMywKjBGEVEJLgAtBwlgAAGQQAC4+B8EHHzfn78fXn\/eXV9d3b9\/338+\/f7fH59e3p2eX3++\/309fz6e3l6c3h3dnt3fff49\/Pz9vf2+Pv9fX19fX1+\/f1\/e3l5d3d1dHh6fHp6fv7++\/r3+H59fHx9e3l9+\/99\/P37+X57e3l8e3p\/f379\/fv7+\/r8\/v\/8\/n7\/\/\/39fXx6dnd5ev9+eXx6eH16fPx\/\/Pj5+fv7\/H15d3l7fH7\/\/f39\/A=="} -01330{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":125,"source":"skinny.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801134322976,"flow_src_last_pkt_time":1317801134482957,"flow_dst_last_pkt_time":1317801134468575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3096,"flow_dst_tot_l4_payload_len":2408,"midstream":0,"thread_ts_usec":1317801134482957,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.195.50","src_port":32144,"dst_port":17718,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":10697.4,"flow_max":36736,"flow_stddev":11089.0,"c_to_s_min":7,"c_to_s_avg":10928.7,"c_to_s_max":36736,"c_to_s_stddev":11534.2,"s_to_c_min":4,"s_to_c_avg":10399.9,"s_to_c_max":25564,"s_to_c_stddev":10481.4},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":214,"s_to_c_avg":214.0,"s_to_c_max":214,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01311{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":307,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134942562,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134942562,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19901,"flow_avg":20510.1,"flow_max":36299,"flow_stddev":2836.0,"c_to_s_min":19901,"c_to_s_avg":20510.1,"c_to_s_max":36299,"c_to_s_stddev":2836.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01309{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":319,"source":"skinny.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134348136,"flow_src_last_pkt_time":1317801134968092,"flow_dst_last_pkt_time":1317801134348136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134968092,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17726,"dst_port":9399,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5186,"flow_avg":19535.7,"flow_max":20095,"flow_stddev":2577.4,"c_to_s_min":5186,"c_to_s_avg":19535.7,"c_to_s_max":20095,"c_to_s_stddev":2577.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01309{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134349579,"flow_src_last_pkt_time":1317801134969420,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134969420,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32152,"dst_port":9396,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1039,"flow_avg":19402.5,"flow_max":20520,"flow_stddev":3301.2,"c_to_s_min":1039,"c_to_s_avg":19402.5,"c_to_s_max":20520,"c_to_s_stddev":3301.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":334,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134383882,"flow_src_last_pkt_time":1317801135003916,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801135003916,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17732,"dst_port":9400,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":951,"flow_avg":19405.8,"flow_max":20100,"flow_stddev":3314.8,"c_to_s_min":951,"c_to_s_avg":19405.8,"c_to_s_max":20100,"c_to_s_stddev":3314.8,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01327{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":125,"source":"skinny.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801134322976,"flow_src_last_pkt_time":1317801134482957,"flow_dst_last_pkt_time":1317801134468575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3096,"flow_dst_tot_l4_payload_len":2408,"midstream":0,"thread_ts_usec":1317801134482957,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.195.50","src_port":32144,"dst_port":17718,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":9857.4,"flow_max":25564,"flow_stddev":10215.5,"c_to_s_min":7,"c_to_s_avg":9410.6,"c_to_s_max":20024,"c_to_s_stddev":9969.0,"s_to_c_min":4,"s_to_c_avg":10399.9,"s_to_c_max":25564,"s_to_c_stddev":10481.4},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":214,"s_to_c_avg":214.0,"s_to_c_max":214,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":307,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134942562,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134942562,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19901,"flow_avg":20000.7,"flow_max":20073,"flow_stddev":35.0,"c_to_s_min":19901,"c_to_s_avg":20000.7,"c_to_s_max":20073,"c_to_s_stddev":35.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":319,"source":"skinny.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134348136,"flow_src_last_pkt_time":1317801134968092,"flow_dst_last_pkt_time":1317801134348136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134968092,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17726,"dst_port":9399,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19962,"flow_avg":19998.6,"flow_max":20095,"flow_stddev":27.6,"c_to_s_min":19962,"c_to_s_avg":19998.6,"c_to_s_max":20095,"c_to_s_stddev":27.6,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01309{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134349579,"flow_src_last_pkt_time":1317801134969420,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134969420,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32152,"dst_port":9396,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19475,"flow_avg":19994.9,"flow_max":20520,"flow_stddev":142.6,"c_to_s_min":19475,"c_to_s_avg":19994.9,"c_to_s_max":20520,"c_to_s_stddev":142.6,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +01307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":334,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134383882,"flow_src_last_pkt_time":1317801135003916,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801135003916,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17732,"dst_port":9400,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19941,"flow_avg":20001.1,"flow_max":20100,"flow_stddev":38.1,"c_to_s_min":19941,"c_to_s_avg":20001.1,"c_to_s_max":20100,"c_to_s_stddev":38.1,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":214,"c_to_s_avg":214.0,"c_to_s_max":214,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801140764515,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801140764515,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"10.16.2.25","src_port":50917,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1317801140764515,"pkt":"ABTy5fxCAB56JnR1CABFYAA0F0wAAEAG0wzAqMM6ChACGcblB9CCZg4uo3beQVAYIAAasgAABAAAAAAAAAAAAAAA"} 00868{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801140764515,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801140764515,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"10.16.2.25","src_port":50917,"dst_port":2000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2664,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140821803,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1317801140821803,"pkt":"AB56JnR1ABTy5fxCCABFYAAod8dAADwGNp0KEAIZwKjDOgfQxuWjdt5BgmYOOlAQFtAn6gAAAAAAAAAA"} -01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2918,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801141425306,"flow_dst_last_pkt_time":1317801141427620,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":492,"flow_dst_max_l4_payload_len":52,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":244,"midstream":1,"thread_ts_usec":1317801141427620,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":682602.0,"flow_max":7045910,"flow_stddev":1851671.8,"c_to_s_min":15,"c_to_s_avg":606765.4,"c_to_s_max":6999604,"c_to_s_stddev":1756073.4,"s_to_c_min":704,"s_to_c_avg":780106.2,"s_to_c_max":7045910,"s_to_c_stddev":1963471.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":139.0,"c_to_s_max":546,"c_to_s_stddev":116.3,"s_to_c_min":60,"s_to_c_avg":74.9,"s_to_c_max":106,"s_to_c_stddev":19.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01355{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2918,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801141425306,"flow_dst_last_pkt_time":1317801141427620,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":492,"flow_dst_max_l4_payload_len":52,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":244,"midstream":1,"thread_ts_usec":1317801141427620,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":704537.4,"flow_max":7045910,"flow_stddev":1877203.8,"c_to_s_min":15,"c_to_s_avg":642304.3,"c_to_s_max":6999604,"c_to_s_stddev":1800683.0,"s_to_c_min":704,"s_to_c_avg":780106.2,"s_to_c_max":7045910,"s_to_c_stddev":1963471.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":139.0,"c_to_s_max":546,"c_to_s_stddev":116.3,"s_to_c_min":60,"s_to_c_avg":74.9,"s_to_c_max":106,"s_to_c_stddev":19.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00728{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801141463821,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801141463821,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.195.58","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1317801141463821,"pkt":"AB56JnR1AB1FDGVjCABFAAA4GBEAAEABWvbAqMMywKjDOgMDmwIAAAAARbgAyBe5AABAEVn2wKjDOsCowzJ9kEU2ALSefw=="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801141463821,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801141463821,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.195.58","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.235927}} @@ -73,5 +73,5 @@ ~~ total allocations/frees...: 124481/124481 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1372 chars -~~ json string avg len.......: 923 chars +~~ json string max len.......: 1360 chars +~~ json string avg len.......: 917 chars diff --git a/test/results/skype-conference-call.pcap.out b/test/results/skype-conference-call.pcap.out index 0e1da23f4..3501fbf65 100644 --- a/test/results/skype-conference-call.pcap.out +++ b/test/results/skype-conference-call.pcap.out @@ -5,7 +5,7 @@ 01115{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916646303,"flow_dst_last_pkt_time":1501061916646303,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":104,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":104,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1501061916646303,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":1,"num_binding_requests":1,"num_processed_pkts":0}}} 00649{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1501061916646303,"flow_dst_last_pkt_time":1501061916653642,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1501061916653642,"pkt":"xCwDBkn+XEl5dU5qCABFAACERTYAAG4RtBdoLigxwKgCFOziwIIAcHm6AAEAVCESpEI8yF2moGJ4zvU2wuEABgAJeld5azpncHBlAAAAACQABG7\/\/v+AKQAIAAAAAAACl5OAVAABMQAAAIBwAAQAAAADAAgAFHnv8xovieyQrsQ6j2MMyqg8GNj1gCgABORvfhY="} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1501061916690803,"flow_dst_last_pkt_time":1501061916653642,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":114,"pkt_l4_len":80,"thread_ts_usec":1501061916690803,"pkt":"XEl5dU5qxCwDBkn+CABFAABkjWYAAEARmgfAqAIUaC4oMcCC7OIAUFnEAQEANCESpEI8yF2moGJ4zvU2wuEAIAAIAAHN8Ek8jHOAcAAEAAAAAwAIABSgsacIkgIOfzKEQbuerkeFTLj204AoAASK\/70B"} -01519{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916821040,"flow_dst_last_pkt_time":1501061916812989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":167,"flow_src_tot_l4_payload_len":6417,"flow_dst_tot_l4_payload_len":1824,"midstream":0,"thread_ts_usec":1501061916821040,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":59,"flow_avg":28493954.0,"flow_max":911465103,"flow_stddev":158586304.0,"c_to_s_min":197,"c_to_s_avg":56977488.0,"c_to_s_max":911465103,"c_to_s_stddev":220627760.0,"s_to_c_min":59,"s_to_c_avg":10417.9,"s_to_c_max":100094,"s_to_c_stddev":26589.7},"pktlen": {"c_to_s_min":85,"c_to_s_avg":443.1,"c_to_s_max":957,"c_to_s_stddev":398.5,"s_to_c_min":77,"s_to_c_avg":156.0,"s_to_c_max":209,"s_to_c_stddev":30.1}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01498{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916821040,"flow_dst_last_pkt_time":1501061916812989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":167,"flow_src_tot_l4_payload_len":6417,"flow_dst_tot_l4_payload_len":1824,"midstream":0,"thread_ts_usec":1501061916821040,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":59,"flow_avg":11013.6,"flow_max":100094,"flow_stddev":22446.4,"c_to_s_min":197,"c_to_s_avg":11649.1,"c_to_s_max":54879,"c_to_s_stddev":16921.6,"s_to_c_min":59,"s_to_c_avg":10417.9,"s_to_c_max":100094,"s_to_c_stddev":26589.7},"pktlen": {"c_to_s_min":85,"c_to_s_avg":443.1,"c_to_s_max":957,"c_to_s_stddev":398.5,"s_to_c_min":77,"s_to_c_avg":156.0,"s_to_c_max":209,"s_to_c_stddev":30.1}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01077{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":200,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":133,"flow_dst_packets_processed":67,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061918126158,"flow_dst_last_pkt_time":1501061918151791,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":915,"flow_src_tot_l4_payload_len":19259,"flow_dst_tot_l4_payload_len":12028,"midstream":0,"thread_ts_usec":1501061918151791,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00577{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":200,"source":"skype-conference-call.pcap","alias":"nDPId-test","packets-captured":200,"packets-processed":200,"total-skipped-flows":0,"total-l4-payload-len":31287,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1501061918151791} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121636/121636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1524 chars -~~ json string avg len.......: 979 chars +~~ json string max len.......: 1503 chars +~~ json string avg len.......: 969 chars diff --git a/test/results/skype.pcap.out b/test/results/skype.pcap.out index 11373f6de..1fd9eee7f 100644 --- a/test/results/skype.pcap.out +++ b/test/results/skype.pcap.out @@ -78,7 +78,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"skype.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643343414,"flow_dst_last_pkt_time":1431969642337316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"thread_ts_usec":1431969643343414,"pkt":"0NQSxnP1PBXCt3IOCABFAAA+7pYAAEARCKXAqAEiwKgBAf4VADUAKsDYd8YBAAABAAAAAAAABGRzbjQBZAVza3lwZQNuZXQAABwAAQ=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"skype.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643486691,"flow_dst_last_pkt_time":1431969642398483,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969643486691,"pkt":"0NQSxnP1PBXCt3IOCABFAABK1twAAEARIFPAqAEiwKgBAd\/IADUANro4UU4BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDYBcgVza3lwZQNuZXQAABwAAQ=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"skype.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643486838,"flow_dst_last_pkt_time":1431969642398350,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969643486838,"pkt":"0NQSxnP1PBXCt3IOCABFAABKJUgAAEAR0efAqAEiwKgBAcNGADUANrH\/diQBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDYBcgVza3lwZQNuZXQAAAEAAQ=="} -01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969642444382,"flow_src_last_pkt_time":1431969643732696,"flow_dst_last_pkt_time":1431969643732623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431969643732696,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":80839.6,"flow_max":300868,"flow_stddev":83976.4,"c_to_s_min":1,"c_to_s_avg":72145.9,"c_to_s_max":288212,"c_to_s_stddev":80747.5,"s_to_c_min":3,"s_to_c_avg":92017.2,"s_to_c_max":300868,"s_to_c_stddev":86682.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":244.3,"c_to_s_max":1383,"c_to_s_stddev":332.7,"s_to_c_min":66,"s_to_c_avg":535.6,"s_to_c_max":1506,"s_to_c_stddev":559.0}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969642444382,"flow_src_last_pkt_time":1431969643732696,"flow_dst_last_pkt_time":1431969643732623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431969643732696,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":83114.7,"flow_max":300868,"flow_stddev":84343.9,"c_to_s_min":1,"c_to_s_avg":75783.2,"c_to_s_max":288212,"c_to_s_stddev":81642.9,"s_to_c_min":3,"s_to_c_avg":92017.2,"s_to_c_max":300868,"s_to_c_stddev":86682.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":244.3,"c_to_s_max":1383,"c_to_s_stddev":332.7,"s_to_c_min":66,"s_to_c_avg":535.6,"s_to_c_max":1506,"s_to_c_stddev":559.0}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":109,"source":"skype.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969643944313,"flow_src_last_pkt_time":1431969643944313,"flow_dst_last_pkt_time":1431969643944313,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969643944313,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.33","src_port":50030,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"skype.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1431969643944313,"flow_dst_last_pkt_time":1431969643944313,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969643944313,"pkt":"0NQSxnP1PBXCt3IOCABFAABAYXlAAEAG9xvAqAEiQTffIcNuAbtcUOQ7AAAAALAC\/\/9\/kQAAAgQFtAEDAwUBAQgKPiKRcAAAAAAEAgAA"} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":112,"source":"skype.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969643971809,"flow_src_last_pkt_time":1431969643971809,"flow_dst_last_pkt_time":1431969643971809,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969643971809,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":60288,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -796,7 +796,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1528,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":1,"flow_src_last_pkt_time":1431969707326642,"flow_dst_last_pkt_time":1431969707326642,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969707326642,"pkt":"0NQSxnP1PBXCt3IOCABFAABA1ORAAEAGTF\/AqAEiQAQXpsO3Abu4qWeDAAAAALAC\/\/9x6QAAAgQFtAEDAwUBAQgKPiOH3AAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1531,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":2,"flow_src_last_pkt_time":1431969707326642,"flow_dst_last_pkt_time":1431969707546419,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1431969707546419,"pkt":"PBXCt3IO0NQSxnP1CABFAAA8AABAADYGK0hABBemwKgBIgG7w7ccEsw5uKlnhKASOJDGigAAAgQFrAQCCApMP087PiOH3AEDAwk="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1532,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":3,"flow_src_last_pkt_time":1431969707546527,"flow_dst_last_pkt_time":1431969707546419,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969707546527,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0EpBAAEAGDsDAqAEiQAQXpsO3Abu4qWeEHBLMOoAQECwc2gAAAQEICj4jiLdMP087"} -01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1547,"source":"skype.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431969648258514,"flow_src_last_pkt_time":1431969708341272,"flow_dst_last_pkt_time":1431969648258514,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10560,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969708341272,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14698,"flow_avg":1886672.8,"flow_max":19850743,"flow_stddev":5778038.5,"c_to_s_min":14698,"c_to_s_avg":1886672.8,"c_to_s_max":19850743,"c_to_s_stddev":5778038.5,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":327,"c_to_s_avg":372.0,"c_to_s_max":405,"c_to_s_stddev":29.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1547,"source":"skype.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431969648258514,"flow_src_last_pkt_time":1431969708341272,"flow_dst_last_pkt_time":1431969648258514,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10560,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969708341272,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14698,"flow_avg":1938153.5,"flow_max":19850743,"flow_stddev":5863265.0,"c_to_s_min":14698,"c_to_s_avg":1938153.5,"c_to_s_max":19850743,"c_to_s_stddev":5863265.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":327,"c_to_s_avg":372.0,"c_to_s_max":405,"c_to_s_stddev":29.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1587,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969710853799,"flow_dst_last_pkt_time":1431969710853799,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710853799,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1587,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_packet_id":1,"flow_src_last_pkt_time":1431969710853799,"flow_dst_last_pkt_time":1431969710853799,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969710853799,"pkt":"0NQSxnP1PBXCt3IOCABFAABAz19AAEAG2DnAqAEinTg0HMO8nEnrI3UzAAAAALAC\/\/8PzQAAAgQFtAEDAwUBAQgKPiOVkAAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1589,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_packet_id":2,"flow_src_last_pkt_time":1431969710853799,"flow_dst_last_pkt_time":1431969711097782,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1431969711097782,"pkt":"PBXCt3IO0NQSxnP1CABFAAA8AABAADMGtJ2dODQcwKgBIpxJw7we\/\/hU6yN1NKASOJAgZAAAAgQFrAQCCApMXGQgPiOVkAEDAwk="} @@ -820,7 +820,7 @@ 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1625,"source":"skype.pcap","alias":"nDPId-test","flow_id":232,"flow_packet_id":3,"flow_src_last_pkt_time":1431969712981073,"flow_dst_last_pkt_time":1431969712980992,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969712981073,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoyL5AAEAGfAvAqAEiW77YfcO9MD57jsMtWI4CD1AQIAAMeQAA"} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1632,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":2,"flow_src_last_pkt_time":1431969713175058,"flow_dst_last_pkt_time":1431969712913984,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969713175058,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoTzkAAEARqBjAqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1633,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":2,"flow_src_last_pkt_time":1431969713177253,"flow_dst_last_pkt_time":1431969712918145,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431969713177253,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYIAAEAB8QPAqAEBwKgBIgMDgJYAAAAARQAAKE85AABAEagYwKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="} -01204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":242251.1,"flow_max":2290715,"flow_stddev":419355.1,"c_to_s_min":127,"c_to_s_avg":312538.8,"c_to_s_max":2290715,"c_to_s_stddev":557177.2,"s_to_c_min":6,"s_to_c_avg":171963.5,"s_to_c_max":761004,"s_to_c_stddev":177172.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":148.3,"c_to_s_max":675,"c_to_s_stddev":178.0,"s_to_c_min":66,"s_to_c_avg":208.8,"s_to_c_max":1506,"s_to_c_stddev":360.7}}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":176171.6,"flow_max":964718,"flow_stddev":204459.3,"c_to_s_min":127,"c_to_s_avg":180660.3,"c_to_s_max":964718,"c_to_s_stddev":229939.5,"s_to_c_min":6,"s_to_c_avg":171963.5,"s_to_c_max":761004,"s_to_c_stddev":177172.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":148.3,"c_to_s_max":675,"c_to_s_stddev":178.0,"s_to_c_min":66,"s_to_c_avg":208.8,"s_to_c_max":1506,"s_to_c_stddev":360.7}}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1659,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":3,"flow_src_last_pkt_time":1431969713715848,"flow_dst_last_pkt_time":1431969712913984,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969713715848,"pkt":"0NQSxnP1PBXCt3IOCABFAAAorjMAAEARSR7AqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":3,"flow_src_last_pkt_time":1431969713717677,"flow_dst_last_pkt_time":1431969712918145,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431969713717677,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYMAAEAB8QLAqAEBwKgBIgMDgJYAAAAARQAAKK4zAABAEUkewKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="} @@ -898,7 +898,7 @@ 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1857,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":1,"flow_src_last_pkt_time":1431969716182666,"flow_dst_last_pkt_time":1431969716182666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969716182666,"pkt":"0NQSxnP1PBXCt3IOCABFAABAI3FAAEAG8D7AqAEiUYUTucPKrY8W93X3AAAAALAC\/\/8pggAAAgQFtAEDAwUBAQgKPiOqBgAAAAAEAgAA"} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1877,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":2,"flow_src_last_pkt_time":1431969716182666,"flow_dst_last_pkt_time":1431969716265530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969716265530,"pkt":"PBXCt3IO0NQSxnP1CABFAABAivNAADAGmLxRhRO5wKgBIq2Pw8rX0EaLFvd1+LAS\/\/\/WdwAAAgQFrAEDAwUBAQgKArAx9T4jqgYEAgAA"} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1878,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716265616,"flow_dst_last_pkt_time":1431969716265530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969716265616,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0OVVAAEAG2mbAqAEiUYUTucPKrY8W93X419BGjIAQECwFxAAAAQEICj4jqlUCsDH1"} -01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":69725.6,"flow_max":283578,"flow_stddev":71158.1,"c_to_s_min":71,"c_to_s_avg":62878.1,"c_to_s_max":283578,"c_to_s_stddev":78699.3,"s_to_c_min":3,"s_to_c_avg":81138.2,"s_to_c_max":199756,"s_to_c_stddev":54512.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":151.5,"c_to_s_max":820,"c_to_s_stddev":194.1,"s_to_c_min":66,"s_to_c_avg":211.1,"s_to_c_max":1249,"s_to_c_stddev":323.1}}} +01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":62827.2,"flow_max":199756,"flow_stddev":60860.2,"c_to_s_min":71,"c_to_s_avg":51262.3,"c_to_s_max":199749,"c_to_s_stddev":61814.4,"s_to_c_min":3,"s_to_c_avg":81138.2,"s_to_c_max":199756,"s_to_c_stddev":54512.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":151.5,"c_to_s_max":820,"c_to_s_stddev":194.1,"s_to_c_min":66,"s_to_c_avg":211.1,"s_to_c_max":1249,"s_to_c_stddev":323.1}}} 00813{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 01183{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1947,"source":"skype.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716797621,"flow_dst_last_pkt_time":1431969656652360,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1431969716797621,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAAISY\/IAAEARUx\/AqAEi\/\/\/\/\/0RcRFwB\/vqceyJob3N0X2ludCI6IDE1NzMxOTU0NDUsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} 01178{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1948,"source":"skype.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716797900,"flow_dst_last_pkt_time":1431969656652710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1431969716797900,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAAISf8oAAEARdJ\/AqAEiwKgB\/0RcRFwB\/jf1eyJob3N0X2ludCI6IDE1NzMxOTU0NDUsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} @@ -948,14 +948,14 @@ 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2164,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":1,"flow_src_last_pkt_time":1431969719561453,"flow_dst_last_pkt_time":1431969719561453,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969719561453,"pkt":"0NQSxnP1PBXCt3IOCABFAABAR+5AAEAG+sPAqAEiW77afcPRMD4OYtZAAAAAALAC\/\/9xPAAAAgQFtAEDAwUBAQgKPiO25AAAAAAEAgAA"} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2177,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":2,"flow_src_last_pkt_time":1431969719561453,"flow_dst_last_pkt_time":1431969719623289,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969719623289,"pkt":"PBXCt3IO0NQSxnP1CABFAAA0Hj5AAPQGcH9bvtp9wKgBIjA+w9E3PWT9DmLWQYASH\/7iJQAAAgQFoAEDAwQBAQQC"} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2180,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":3,"flow_src_last_pkt_time":1431969719623434,"flow_dst_last_pkt_time":1431969719623289,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969719623434,"pkt":"0NQSxnP1PBXCt3IOCABFAAAo4VtAAEAGYW7AqAEiW77afcPRMD4OYtZBNz1k\/lAQIAAi3wAA"} -01486{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2213,"source":"skype.pcap","alias":"nDPId-test","flow_id":260,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1431969719110749,"flow_src_last_pkt_time":1431969720072924,"flow_dst_last_pkt_time":1431969720249898,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2665,"flow_dst_tot_l4_payload_len":3500,"midstream":0,"thread_ts_usec":1431969720249898,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":50128,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":67399.4,"flow_max":604696,"flow_stddev":133791.1,"c_to_s_min":1,"c_to_s_avg":67842.1,"c_to_s_max":449491,"c_to_s_stddev":119222.4,"s_to_c_min":4,"s_to_c_avg":67008.8,"s_to_c_max":604696,"s_to_c_stddev":145437.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":233.3,"c_to_s_max":680,"c_to_s_stddev":258.7,"s_to_c_min":60,"s_to_c_avg":262.7,"s_to_c_max":1494,"s_to_c_stddev":415.2}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01486{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2213,"source":"skype.pcap","alias":"nDPId-test","flow_id":260,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1431969719110749,"flow_src_last_pkt_time":1431969720072924,"flow_dst_last_pkt_time":1431969720249898,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2665,"flow_dst_tot_l4_payload_len":3500,"midstream":0,"thread_ts_usec":1431969720249898,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":50128,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":67784.6,"flow_max":604696,"flow_stddev":135914.5,"c_to_s_min":1,"c_to_s_avg":68726.8,"c_to_s_max":449491,"c_to_s_stddev":123359.3,"s_to_c_min":4,"s_to_c_avg":67008.8,"s_to_c_max":604696,"s_to_c_stddev":145437.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":233.3,"c_to_s_max":680,"c_to_s_stddev":258.7,"s_to_c_min":60,"s_to_c_avg":262.7,"s_to_c_max":1494,"s_to_c_stddev":415.2}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":262,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556111,"flow_src_last_pkt_time":1431969720556111,"flow_dst_last_pkt_time":1431969720556111,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556111,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":52742,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":262,"flow_packet_id":1,"flow_src_last_pkt_time":1431969720556111,"flow_dst_last_pkt_time":1431969720556111,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969720556111,"pkt":"0NQSxnP1PBXCt3IOCABFAABKnloAAEARWNXAqAEiwKgBAc4GADUANhjrBXkBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAAAEAAQ=="} 01018{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":262,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556111,"flow_src_last_pkt_time":1431969720556111,"flow_dst_last_pkt_time":1431969720556111,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556111,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":52742,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"335.0.7.7.3.rst5.r.skype.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556330,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556330,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":56387,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_packet_id":1,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969720556330,"pkt":"0NQSxnP1PBXCt3IOCABFAABK65gAAEARC5fAqAEiwKgBAdxDADUANtEePu0BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAABwAAQ=="} 01019{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556330,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556330,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":56387,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"335.0.7.7.3.rst5.r.skype.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01211{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":104,"flow_avg":321720.4,"flow_max":1782015,"flow_stddev":502070.3,"c_to_s_min":104,"c_to_s_avg":276634.2,"c_to_s_max":1468105,"c_to_s_stddev":460997.2,"s_to_c_min":60135,"s_to_c_avg":387615.6,"s_to_c_max":1782015,"s_to_c_stddev":550067.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":145.4,"c_to_s_max":819,"c_to_s_stddev":200.5,"s_to_c_min":66,"s_to_c_avg":174.8,"s_to_c_max":1190,"s_to_c_stddev":293.7}}} +01211{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":104,"flow_avg":325100.5,"flow_max":1782015,"flow_stddev":509745.4,"c_to_s_min":104,"c_to_s_avg":279950.7,"c_to_s_max":1468105,"c_to_s_stddev":473408.9,"s_to_c_min":60135,"s_to_c_avg":387615.6,"s_to_c_max":1782015,"s_to_c_stddev":550067.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":145.4,"c_to_s_max":819,"c_to_s_stddev":200.5,"s_to_c_min":66,"s_to_c_avg":174.8,"s_to_c_max":1190,"s_to_c_stddev":293.7}}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2273,"source":"skype.pcap","alias":"nDPId-test","flow_id":262,"flow_packet_id":2,"flow_src_last_pkt_time":1431969721596689,"flow_dst_last_pkt_time":1431969720556111,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969721596689,"pkt":"0NQSxnP1PBXCt3IOCABFAABKt0gAAEARP+fAqAEiwKgBAc4GADUANhjrBXkBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAAAEAAQ=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2274,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_packet_id":2,"flow_src_last_pkt_time":1431969721596772,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969721596772,"pkt":"0NQSxnP1PBXCt3IOCABFAABKslEAAEARRN7AqAEiwKgBAdxDADUANtEePu0BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAABwAAQ=="} @@ -1011,7 +1011,7 @@ 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2528,"source":"skype.pcap","alias":"nDPId-test","flow_id":273,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969735255261,"flow_src_last_pkt_time":1431969735255261,"flow_dst_last_pkt_time":1431969735255261,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969735255261,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"106.188.249.186","src_port":13021,"dst_port":15120,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2528,"source":"skype.pcap","alias":"nDPId-test","flow_id":273,"flow_packet_id":1,"flow_src_last_pkt_time":1431969735255261,"flow_dst_last_pkt_time":1431969735255261,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1431969735255261,"pkt":"0NQSxnP1PBXCt3IOCABFAAAuQGgAAEARFBbAqAEiarz5ujLdOxAAGjrunqMCSv26L3gQtCJn9dl5F8Bv"} 00891{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2528,"source":"skype.pcap","alias":"nDPId-test","flow_id":273,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969735255261,"flow_src_last_pkt_time":1431969735255261,"flow_dst_last_pkt_time":1431969735255261,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969735255261,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"106.188.249.186","src_port":13021,"dst_port":15120,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01213{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":1875171.1,"flow_max":25523822,"flow_stddev":6106035.5,"c_to_s_min":96,"c_to_s_avg":1674690.0,"c_to_s_max":25523822,"c_to_s_stddev":5802039.5,"s_to_c_min":3,"s_to_c_avg":2132932.5,"s_to_c_max":25387599,"s_to_c_stddev":6466826.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":152.0,"c_to_s_max":843,"c_to_s_stddev":209.6,"s_to_c_min":66,"s_to_c_avg":162.3,"s_to_c_max":1090,"s_to_c_stddev":258.6}}} +01213{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":1926523.6,"flow_max":25523822,"flow_stddev":6196933.5,"c_to_s_min":96,"c_to_s_avg":1756539.6,"c_to_s_max":25523822,"c_to_s_stddev":5960141.5,"s_to_c_min":3,"s_to_c_avg":2132932.5,"s_to_c_max":25387599,"s_to_c_stddev":6466826.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":152.0,"c_to_s_max":843,"c_to_s_stddev":209.6,"s_to_c_min":66,"s_to_c_avg":162.3,"s_to_c_max":1090,"s_to_c_stddev":258.6}}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2593,"source":"skype.pcap","alias":"nDPId-test","flow_id":274,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969745776534,"flow_src_last_pkt_time":1431969745776534,"flow_dst_last_pkt_time":1431969745776534,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969745776534,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"239.255.255.250","src_port":56886,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00681{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2593,"source":"skype.pcap","alias":"nDPId-test","flow_id":274,"flow_packet_id":1,"flow_src_last_pkt_time":1431969745776534,"flow_dst_last_pkt_time":1431969745776534,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1431969745776534,"pkt":"AQBef\/\/6PBXCt3IOCABFAACh3hQAAAERKXPAqAEi7\/\/\/+t42B2wAjVUWTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KTVg6IDINCkhPU1Q6IDIzOS4yNTUuMjU1LjI1MDoxOTAwDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KU1Q6IHVybjpzY2hlbWFzLXVwbnAtb3JnOnNlcnZpY2U6V0FOUFBQQ29ubmVjdGlvbjoxDQoNCg=="} @@ -1107,7 +1107,7 @@ 00761{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":3,"flow_first_seen":1431969658979286,"flow_src_last_pkt_time":1431969678254809,"flow_dst_last_pkt_time":1431969678254715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":72,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":24,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.55.130.140","src_port":50038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00862{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":3,"flow_first_seen":1431969658978927,"flow_src_last_pkt_time":1431969677390359,"flow_dst_last_pkt_time":1431969677390301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":72,"flow_dst_max_l4_payload_len":48,"flow_src_tot_l4_payload_len":348,"flow_dst_tot_l4_payload_len":48,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.44","src_port":50036,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":3,"flow_first_seen":1431969658978927,"flow_src_last_pkt_time":1431969677390359,"flow_dst_last_pkt_time":1431969677390301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":72,"flow_dst_max_l4_payload_len":48,"flow_src_tot_l4_payload_len":348,"flow_dst_tot_l4_payload_len":48,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.44","src_port":50036,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":98,"flow_avg":1317939.2,"flow_max":30125563,"flow_stddev":5220433.0,"c_to_s_min":98,"c_to_s_avg":1929613.5,"c_to_s_max":30125563,"c_to_s_stddev":6677651.0,"s_to_c_min":74979,"s_to_c_avg":423953.6,"s_to_c_max":3022192,"s_to_c_stddev":752713.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.2,"c_to_s_max":842,"c_to_s_stddev":204.7,"s_to_c_min":66,"s_to_c_avg":167.3,"s_to_c_max":1090,"s_to_c_stddev":267.5}}} +01215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":98,"flow_avg":1348559.6,"flow_max":30125563,"flow_stddev":5301136.0,"c_to_s_min":98,"c_to_s_avg":2016330.6,"c_to_s_max":30125563,"c_to_s_stddev":6850213.5,"s_to_c_min":74979,"s_to_c_avg":423953.6,"s_to_c_max":3022192,"s_to_c_stddev":752713.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.2,"c_to_s_max":842,"c_to_s_stddev":204.7,"s_to_c_min":66,"s_to_c_avg":167.3,"s_to_c_max":1090,"s_to_c_stddev":267.5}}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00808{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":3284,"source":"skype.pcap","alias":"nDPId-test","flow_id":221,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":4,"flow_first_seen":1431969704664322,"flow_src_last_pkt_time":1431969723753428,"flow_dst_last_pkt_time":1431969723753303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":1431969808951480,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":50098,"dst_port":40026,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00763{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3284,"source":"skype.pcap","alias":"nDPId-test","flow_id":221,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":4,"flow_first_seen":1431969704664322,"flow_src_last_pkt_time":1431969723753428,"flow_dst_last_pkt_time":1431969723753303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":1431969808951480,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":50098,"dst_port":40026,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/skype_no_unknown.pcap.out b/test/results/skype_no_unknown.pcap.out index eb9bbeec3..00652fd13 100644 --- a/test/results/skype_no_unknown.pcap.out +++ b/test/results/skype_no_unknown.pcap.out @@ -79,7 +79,7 @@ 01007{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":72,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636044810,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636044810,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":197,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1431970636044810,"l3_proto":"ip4","src_ip":"17.143.160.149","dst_ip":"192.168.1.34","src_port":5223,"dst_port":50407,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636044874,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431970636044874,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0K69AAEAGmybAqAEiEY+glcTnFGcgAvEUyi6rq4AQD\/mVBgAAAQEICj4xjDlVV93M"} 00658{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636045750,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":156,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":156,"pkt_l4_len":122,"thread_ts_usec":1431970636045750,"pkt":"0NQSxnP1PBXCt3IOCABFAACO6xNAAEAG22fAqAEiEY+glcTnFGcgAvEUyi6rq4AYEAB7VwAAAQEICj4xjDlVV93MFwMBACDcBm8C5CuEds5WH7uOVSaoSAeWe3pVfjpiQwGsBHUCdhcDAQAwqX6WBIxQfVe36rHY2TMg9Ev1HCHJmLbDku3Ki37TObTq6YVIEEF1VGVKw\/q+D6y6"} -01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970634729598,"flow_src_last_pkt_time":1431970635881910,"flow_dst_last_pkt_time":1431970636210299,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431970636210299,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":84164.6,"flow_max":302172,"flow_stddev":89940.0,"c_to_s_min":176,"c_to_s_avg":71327.4,"c_to_s_max":286823,"c_to_s_stddev":79904.3,"s_to_c_min":4,"s_to_c_avg":98713.4,"s_to_c_max":302172,"s_to_c_stddev":98094.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":254.8,"c_to_s_max":1383,"c_to_s_stddev":339.4,"s_to_c_min":66,"s_to_c_avg":504.3,"s_to_c_max":1506,"s_to_c_stddev":552.6}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970634729598,"flow_src_last_pkt_time":1431970635881910,"flow_dst_last_pkt_time":1431970636210299,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431970636210299,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":84935.9,"flow_max":302172,"flow_stddev":91274.9,"c_to_s_min":176,"c_to_s_avg":72019.5,"c_to_s_max":286823,"c_to_s_stddev":82314.0,"s_to_c_min":4,"s_to_c_avg":98713.4,"s_to_c_max":302172,"s_to_c_stddev":98094.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":254.8,"c_to_s_max":1383,"c_to_s_stddev":339.4,"s_to_c_min":66,"s_to_c_avg":504.3,"s_to_c_max":1506,"s_to_c_stddev":552.6}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636300980,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970636300980,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":50055,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970636300980,"pkt":"0NQSxnP1PBXCt3IOCABFAABLV\/cAAEARnzfAqAEiwKgBAcOHADUANwqgVG4BAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAABAAE="} 01027{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636300980,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970636300980,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":50055,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"pipe.prd.skypedata.akadns.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -111,7 +111,7 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1431970637443973,"flow_dst_last_pkt_time":1431970635325136,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"thread_ts_usec":1431970637443973,"pkt":"0NQSxnP1PBXCt3IOCABFAAA6+FgAAEAR\/ubAqAEiwKgBAfgaADUAJptGWcsBAAABAAAAAAAAAnVpBXNreXBlA2NvbQAAAQAB"} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1431970638471236,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970638471236,"pkt":"0NQSxnP1PBXCt3IOCABFAABLoPEAAEARVj3AqAEiwKgBAcOHADUANwqgVG4BAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAABAAE="} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1431970638471318,"flow_dst_last_pkt_time":1431970636301275,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970638471318,"pkt":"0NQSxnP1PBXCt3IOCABFAABL\/NIAAEAR+lvAqAEiwKgBAcopADUAN1kA5GsBAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAAcAAE="} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":448,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431970637197675,"flow_src_last_pkt_time":1431970639484015,"flow_dst_last_pkt_time":1431970639483962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":607,"flow_src_tot_l4_payload_len":3514,"flow_dst_tot_l4_payload_len":2368,"midstream":1,"thread_ts_usec":1431970639484015,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":51227,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":163725.0,"flow_max":1077385,"flow_stddev":335485.7,"c_to_s_min":61,"c_to_s_avg":191501.1,"c_to_s_max":933119,"c_to_s_stddev":323938.2,"s_to_c_min":3,"s_to_c_avg":142892.9,"s_to_c_max":1077385,"s_to_c_stddev":342416.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":273.6,"c_to_s_max":680,"c_to_s_stddev":284.8,"s_to_c_min":60,"s_to_c_avg":204.2,"s_to_c_max":661,"s_to_c_stddev":210.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":448,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431970637197675,"flow_src_last_pkt_time":1431970639484015,"flow_dst_last_pkt_time":1431970639483962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":607,"flow_src_tot_l4_payload_len":3514,"flow_dst_tot_l4_payload_len":2368,"midstream":1,"thread_ts_usec":1431970639484015,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":51227,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":169356.6,"flow_max":1077385,"flow_stddev":340339.8,"c_to_s_min":61,"c_to_s_avg":207849.1,"c_to_s_max":933119,"c_to_s_stddev":333569.3,"s_to_c_min":3,"s_to_c_avg":142892.9,"s_to_c_max":1077385,"s_to_c_stddev":342416.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":273.6,"c_to_s_max":680,"c_to_s_stddev":284.8,"s_to_c_min":60,"s_to_c_avg":204.2,"s_to_c_max":661,"s_to_c_stddev":210.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970642408833,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970642408833,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00579{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1431970642408833,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAABOkRoAAEARZRPAqAEiwKgB\/wCJAIkAOosFRXIBEAABAAAAAAAAIEFCQUNGUEZQRU5GREVDRkNFUEZIRkRFRkZQRlBBQ0FCAAAgAAE="} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970642408833,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970642408833,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"__msbrowse__"}} @@ -800,7 +800,7 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1353,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":228,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686381625,"flow_dst_last_pkt_time":1431970686381504,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970686381625,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoqoZAAEAGmEPAqAEiW77afchVMD6WWeS3Rpk1L1AQIACoYAAA"} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1361,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":225,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686624286,"flow_dst_last_pkt_time":1431970685835490,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970686624286,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoWF8AAEARnvLAqAEiwKgBAeasFOcAFAzzAAEAADLdMt0AAA4Q"} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1362,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686627227,"flow_dst_last_pkt_time":1431970685839326,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431970686627227,"pkt":"PBXCt3IO0NQSxnP1CABFwABElr8AAEABX8bAqAEBwKgBIgMDgJYAAAAARQAAKFhfAABAEZ7ywKgBIsCoAQHmrBTnABQM8wABAAAy3TLdAAAOEA=="} -01217{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":343837.0,"flow_max":3420078,"flow_stddev":616519.9,"c_to_s_min":133,"c_to_s_avg":424205.5,"c_to_s_max":3420078,"c_to_s_stddev":784768.1,"s_to_c_min":3,"s_to_c_avg":252752.6,"s_to_c_max":1296903,"s_to_c_stddev":311898.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.0,"c_to_s_max":675,"c_to_s_stddev":182.1,"s_to_c_min":66,"s_to_c_avg":218.7,"s_to_c_max":1506,"s_to_c_stddev":370.6}}} +01217{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":244603.4,"flow_max":1296903,"flow_stddev":277928.5,"c_to_s_min":133,"c_to_s_avg":236963.5,"c_to_s_max":1006187,"c_to_s_stddev":241535.5,"s_to_c_min":3,"s_to_c_avg":252752.6,"s_to_c_max":1296903,"s_to_c_stddev":311898.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":147.0,"c_to_s_max":675,"c_to_s_stddev":182.1,"s_to_c_min":66,"s_to_c_avg":218.7,"s_to_c_max":1506,"s_to_c_stddev":370.6}}} 00826{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1372,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":229,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970686843964,"flow_src_last_pkt_time":1431970686843964,"flow_dst_last_pkt_time":1431970686843964,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970686843964,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"91.190.218.125","src_port":51286,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1372,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":229,"flow_packet_id":1,"flow_src_last_pkt_time":1431970686843964,"flow_dst_last_pkt_time":1431970686843964,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970686843964,"pkt":"0NQSxnP1PBXCt3IOCABFAABAXdpAAEAG5NfAqAEiW77afchWAbv9gi8BAAAAALAC\/\/+4gAAAAgQFtAEDAwUBAQgKPjJRrgAAAAAEAgAA"} @@ -894,7 +894,7 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1755,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":251,"flow_packet_id":3,"flow_src_last_pkt_time":1431970693239613,"flow_dst_last_pkt_time":1431970693239490,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970693239613,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoI6NAAEAGISfAqAEiW77YfchmAbumoVhkgmR6JFAQIADUHQAA"} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1790,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970694308651,"flow_src_last_pkt_time":1431970694308651,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970694308651,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"80.121.84.93","src_port":51303,"dst_port":62381,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1790,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":1,"flow_src_last_pkt_time":1431970694308651,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970694308651,"pkt":"0NQSxnP1PBXCt3IOCABFAABA0wpAAEAGAQ3AqAEiUHlUXchn861MQWgbAAAAALAC\/\/+zaQAAAgQFtAEDAwUBAQgKPjJuTgAAAAAEAgAA"} -01222{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":128,"flow_avg":273273.8,"flow_max":2004084,"flow_stddev":495225.5,"c_to_s_min":128,"c_to_s_avg":227119.6,"c_to_s_max":1936170,"c_to_s_stddev":478118.3,"s_to_c_min":64112,"s_to_c_avg":332614.8,"s_to_c_max":2004084,"s_to_c_stddev":510290.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":151.6,"c_to_s_max":818,"c_to_s_stddev":204.4,"s_to_c_min":66,"s_to_c_avg":164.5,"s_to_c_max":1190,"s_to_c_stddev":284.9}}} +01222{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":128,"flow_avg":281313.8,"flow_max":2004084,"flow_stddev":501089.8,"c_to_s_min":128,"c_to_s_avg":239065.8,"c_to_s_max":1936170,"c_to_s_stddev":489362.0,"s_to_c_min":64112,"s_to_c_avg":332614.8,"s_to_c_max":2004084,"s_to_c_stddev":510290.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":151.6,"c_to_s_max":818,"c_to_s_stddev":204.4,"s_to_c_min":66,"s_to_c_avg":164.5,"s_to_c_max":1190,"s_to_c_stddev":284.9}}} 00825{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":2,"flow_src_last_pkt_time":1431970695316316,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970695316316,"pkt":"0NQSxnP1PBXCt3IOCABFAABAwedAAEAGEjDAqAEiUHlUXchn861MQWgbAAAAALAC\/\/+vgAAAAgQFtAEDAwUBAQgKPjJyNwAAAAAEAgAA"} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1817,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":253,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970695865959,"flow_src_last_pkt_time":1431970695865959,"flow_dst_last_pkt_time":1431970695865959,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970695865959,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"149.13.32.15","src_port":51305,"dst_port":13392,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -959,7 +959,7 @@ 00770{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970707911507,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970707911507,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"133.236.67.25","src_port":13021,"dst_port":49195,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_packet_id":1,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1431970707911507,"pkt":"0NQSxnP1PBXCt3IOCABFAAAu+nsAAEAR9XPAqAEihexDGTLdwCsAGiMOfdMCo1rvIegrMqRysYXm5vlz"} 00900{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970707911507,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970707911507,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"133.236.67.25","src_port":13021,"dst_port":49195,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01339{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2139,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431970648367692,"flow_src_last_pkt_time":1431970708344887,"flow_dst_last_pkt_time":1431970648367692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10518,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708344887,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":491,"flow_avg":1893129.5,"flow_max":19856559,"flow_stddev":5777297.0,"c_to_s_min":491,"c_to_s_avg":1893129.5,"c_to_s_max":19856559,"c_to_s_stddev":5777297.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":327,"c_to_s_avg":370.7,"c_to_s_max":405,"c_to_s_stddev":29.1,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01339{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2139,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431970648367692,"flow_src_last_pkt_time":1431970708344887,"flow_dst_last_pkt_time":1431970648367692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10518,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708344887,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":491,"flow_avg":1934748.2,"flow_max":19856559,"flow_stddev":5865016.5,"c_to_s_min":491,"c_to_s_avg":1934748.2,"c_to_s_max":19856559,"c_to_s_stddev":5865016.5,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":327,"c_to_s_avg":370.7,"c_to_s_max":405,"c_to_s_stddev":29.1,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2145,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":267,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970708715662,"flow_src_last_pkt_time":1431970708715662,"flow_dst_last_pkt_time":1431970708715662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708715662,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"212.161.8.36","src_port":51319,"dst_port":13392,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2145,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":267,"flow_packet_id":1,"flow_src_last_pkt_time":1431970708715662,"flow_dst_last_pkt_time":1431970708715662,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970708715662,"pkt":"0NQSxnP1PBXCt3IOCABFAABAWHtAAEAGQ63AqAEi1KEIJMh3NFBvQ5mUAAAAALAC\/\/+uawAAAgQFtAEDAwUBAQgKPjKmLwAAAAAEAgAA"} 00941{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2146,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":233,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970687262098,"flow_src_last_pkt_time":1431970687262098,"flow_dst_last_pkt_time":1431970687262098,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708726988,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"189.188.134.174","src_port":13021,"dst_port":22436,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} diff --git a/test/results/smb_deletefile.pcap.out b/test/results/smb_deletefile.pcap.out index 274e469e0..5031294ae 100644 --- a/test/results/smb_deletefile.pcap.out +++ b/test/results/smb_deletefile.pcap.out @@ -5,7 +5,7 @@ 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368315417275,"flow_dst_last_pkt_time":1584368315417275,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":380,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":380,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1584368315417275,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":""}} 01193{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1584368315417275,"flow_dst_last_pkt_time":1584368315418447,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":554,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":554,"pkt_l4_len":520,"thread_ts_usec":1584368315418447,"pkt":"KDc3AG3I2MuK4S0uCABFAAIcOK5AAIAGO6zAqAG7wKgBdgG93hDyQzIj6KAG5lAYEAjw+QAAAAAB8P5TTUJAAAEAAAAAAAUAAAABAAAAmAAAAJwPAAAAAAAA\/\/4AABEAAAAdAAAAACgAAAAAAAAAAAAAAAAAAAAAAABZAAAAAQAAAPJad+s0itQBeC8Pcpz71QGM0O1xnPvVAYzQ7XGc+9UBACAAAAAAAAAAIAAAAAAAABEAAAAAAAAAEgQAAAoAAABlAAAACgAAAAAAAAAAAAAA\/lNNQkAAAQAAAAAADgAAAAUAAADYAAAAnQ8AAAAAAAD\/\/gAAEQAAAB0AAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAkASACOAAAAAAAAAAAAAAAzwlM5LZjUATN2tkyb+9UBqrZQPC2Y1AHHrtHNIlnVAYD0HQAAAAAAAAAeAAAAAAAgAAAAJgAAAAAAAAAYAEkATgBOAE8AUwBFAH4AMQAuAEUAWABFAAAAq04CAAAAAQBpAG4AbgBvAHMAZQB0AHUAcAAtADUALgA2AC4AMQAuAGUAeABlAAAA\/lNNQkAAAQAAAAAABgADAAUAAAAAAAAAng8AAAAAAAD\/\/gAAEQAAAB0AAAAAKAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1584368315418500,"flow_dst_last_pkt_time":1584368315418447,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1584368315418500,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGtk7AqAF2wKgBu94QAb3ooAbm8kM0F1AQqfyLpgAA"} -01383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317627960,"flow_dst_last_pkt_time":1584368317628867,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":412,"flow_dst_max_l4_payload_len":500,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":3826,"midstream":1,"thread_ts_usec":1584368317628867,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":20,"flow_avg":66530784.0,"flow_max":2124562859,"flow_stddev":369633856.0,"c_to_s_min":20,"c_to_s_avg":106338672.0,"c_to_s_max":2124562859,"c_to_s_stddev":463012608.0,"s_to_c_min":124,"s_to_c_avg":184299.3,"s_to_c_max":2158424,"s_to_c_stddev":595264.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.6,"c_to_s_max":466,"c_to_s_stddev":166.5,"s_to_c_min":60,"s_to_c_avg":373.3,"s_to_c_max":554,"s_to_c_stddev":180.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +01366{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317627960,"flow_dst_last_pkt_time":1584368317628867,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":412,"flow_dst_max_l4_payload_len":500,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":3826,"midstream":1,"thread_ts_usec":1584368317628867,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":20,"flow_avg":142654.1,"flow_max":2158424,"flow_stddev":529256.2,"c_to_s_min":20,"c_to_s_avg":116351.8,"c_to_s_max":2157281,"c_to_s_stddev":481086.4,"s_to_c_min":124,"s_to_c_avg":184299.3,"s_to_c_max":2158424,"s_to_c_stddev":595264.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.6,"c_to_s_max":466,"c_to_s_stddev":166.5,"s_to_c_min":60,"s_to_c_avg":373.3,"s_to_c_max":554,"s_to_c_stddev":180.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00934{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":101,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":39,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317802053,"flow_dst_last_pkt_time":1584368317801987,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":476,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":11034,"flow_dst_tot_l4_payload_len":14218,"midstream":1,"thread_ts_usec":1584368317802053,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":101,"source":"smb_deletefile.pcap","alias":"nDPId-test","packets-captured":101,"packets-processed":101,"total-skipped-flows":0,"total-l4-payload-len":25252,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1584368317802053} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121535/121535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 485 chars -~~ json string max len.......: 1388 chars -~~ json string avg len.......: 920 chars +~~ json string max len.......: 1371 chars +~~ json string avg len.......: 913 chars diff --git a/test/results/smtp-starttls.pcap.out b/test/results/smtp-starttls.pcap.out index c0c205c62..3904f84b1 100644 --- a/test/results/smtp-starttls.pcap.out +++ b/test/results/smtp-starttls.pcap.out @@ -9,7 +9,7 @@ 01016{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124864532,"flow_dst_last_pkt_time":1388017124864365,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":235,"midstream":0,"thread_ts_usec":1388017124864532,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 01018{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124864532,"flow_dst_last_pkt_time":1388017124876575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":1653,"midstream":0,"thread_ts_usec":1388017124876575,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 01122{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124876854,"flow_dst_last_pkt_time":1388017124876863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":3924,"midstream":0,"thread_ts_usec":1388017124876863,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} -01607{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125217215,"flow_dst_last_pkt_time":1388017125228642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1388017125228642,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":123584368.0,"flow_max":3953779666,"flow_stddev":687923392.0,"c_to_s_min":79,"c_to_s_avg":263615600.0,"c_to_s_max":3953779666,"c_to_s_stddev":986237824.0,"s_to_c_min":26,"s_to_c_avg":27399.5,"s_to_c_max":103694,"s_to_c_stddev":29349.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":158.8,"c_to_s_max":752,"c_to_s_stddev":176.2,"s_to_c_min":66,"s_to_c_avg":338.6,"s_to_c_max":1484,"s_to_c_stddev":460.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125217215,"flow_dst_last_pkt_time":1388017125228642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1388017125228642,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":29682.5,"flow_max":156957,"flow_stddev":34710.8,"c_to_s_min":79,"c_to_s_avg":32454.6,"c_to_s_max":156957,"c_to_s_stddev":40098.2,"s_to_c_min":26,"s_to_c_avg":27399.5,"s_to_c_max":103694,"s_to_c_stddev":29349.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":158.8,"c_to_s_max":752,"c_to_s_stddev":176.2,"s_to_c_min":66,"s_to_c_avg":338.6,"s_to_c_max":1484,"s_to_c_stddev":460.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00563{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","packets-captured":37,"packets-processed":36,"total-skipped-flows":0,"total-l4-payload-len":6011,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1524746968365832} 00792{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968365832,"flow_dst_last_pkt_time":1524746968365832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1524746968365832,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00563{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1524746968365832,"flow_dst_last_pkt_time":1524746968365832,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":34525,"pkt_l3_offset":18,"pkt_l4_offset":58,"pkt_len":90,"pkt_l4_len":32,"thread_ts_usec":1524746968365832,"pkt":"tAwlBY4TAAwpwTTcgQAAfYbdYAAAAAAgBkAgAwDeIBYBJfw2gxdOhstyIAMA3iAWASAAAAAACggAUx2KABlaBfS8AAAAAIACIAC67wAAAgQFoAEDAwIBAQQC"} @@ -18,7 +18,7 @@ 00993{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":43,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968396333,"flow_dst_last_pkt_time":1524746968396833,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":210,"midstream":0,"thread_ts_usec":1524746968396833,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"jw-vm08-int-dns.webernetz.net","smtp": {"user":"","password":"","auth_failed":0}}} 01042{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":46,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968398581,"flow_dst_last_pkt_time":1524746968397832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":242,"flow_dst_tot_l4_payload_len":240,"midstream":0,"thread_ts_usec":1524746968398581,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01252{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968398581,"flow_dst_last_pkt_time":1524746968403958,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":242,"flow_dst_tot_l4_payload_len":1380,"midstream":0,"thread_ts_usec":1524746968403958,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":68,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968661622,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968662121,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":120463384.0,"flow_max":3854236298,"flow_stddev":670605440.0,"c_to_s_min":2,"c_to_s_avg":240908288.0,"c_to_s_max":3854236298,"c_to_s_stddev":932957248.0,"s_to_c_min":127,"s_to_c_avg":18486.9,"s_to_c_max":202034,"s_to_c_stddev":47793.5},"pktlen": {"c_to_s_min":78,"c_to_s_avg":187.1,"c_to_s_max":1112,"c_to_s_stddev":243.9,"s_to_c_min":78,"s_to_c_avg":209.8,"s_to_c_max":1218,"s_to_c_stddev":269.1}},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} +01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":68,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968661622,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968662121,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":19099.3,"flow_max":202908,"flow_stddev":48707.1,"c_to_s_min":2,"c_to_s_avg":19752.6,"c_to_s_max":202908,"c_to_s_stddev":49654.8,"s_to_c_min":127,"s_to_c_avg":18486.9,"s_to_c_max":202034,"s_to_c_stddev":47793.5},"pktlen": {"c_to_s_min":78,"c_to_s_avg":187.1,"c_to_s_max":1112,"c_to_s_stddev":243.9,"s_to_c_min":78,"s_to_c_avg":209.8,"s_to_c_max":1218,"s_to_c_stddev":269.1}},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01286{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":17,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968663137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968663137,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01155{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":19,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125228821,"flow_dst_last_pkt_time":1388017125239930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1524746968663137,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","packets-captured":69,"packets-processed":69,"total-skipped-flows":0,"total-l4-payload-len":9842,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":6,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1524746968663137} @@ -35,5 +35,5 @@ ~~ total allocations/frees...: 121550/121550 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 484 chars -~~ json string max len.......: 1743 chars -~~ json string avg len.......: 1108 chars +~~ json string max len.......: 1719 chars +~~ json string avg len.......: 1096 chars diff --git a/test/results/smtp.pcap.out b/test/results/smtp.pcap.out index e7b775dab..e0c0aff6d 100644 --- a/test/results/smtp.pcap.out +++ b/test/results/smtp.pcap.out @@ -5,7 +5,7 @@ 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":934028408568957,"flow_dst_last_pkt_time":934028408569273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":934028408569273,"pkt":"ABB7OEYzAMBPo1fbCABFAAAsFcQAAEAGi4esEHLPwgf4mQAZCE+jURBm5ahCFGASf+Ba2AAAAgQFtAW0"} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":934028408570091,"flow_dst_last_pkt_time":934028408569273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":934028408570091,"pkt":"AMBPo1fbABB7OEYzCABFAAAoEDRAAD8GUhvCB\/iZrBByzwhPABnlqEIUo1EQZ1AQfXh0\/QAAAAAAAAAA"} 00936{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408647164,"flow_dst_last_pkt_time":934028408647434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":154,"midstream":0,"thread_ts_usec":934028408647434,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"pigeon.eyrie.af.mil","smtp": {"user":"","password":"","auth_failed":0}}} -01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408659170,"flow_dst_last_pkt_time":934028408659389,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":469,"flow_dst_tot_l4_payload_len":576,"midstream":0,"thread_ts_usec":934028408659389,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":316,"flow_avg":58465256.0,"flow_max":1870707565,"flow_stddev":325488320.0,"c_to_s_min":1048,"c_to_s_avg":116924864.0,"c_to_s_max":1870707565,"c_to_s_stddev":452824736.0,"s_to_c_min":316,"s_to_c_avg":5652.0,"s_to_c_max":55118,"s_to_c_stddev":13541.6},"pktlen": {"c_to_s_min":60,"c_to_s_avg":84.4,"c_to_s_max":94,"c_to_s_stddev":13.0,"s_to_c_min":60,"s_to_c_avg":90.8,"s_to_c_max":138,"s_to_c_stddev":16.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} +01314{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408659170,"flow_dst_last_pkt_time":934028408659389,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":469,"flow_dst_tot_l4_payload_len":576,"midstream":0,"thread_ts_usec":934028408659389,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":316,"flow_avg":5827.3,"flow_max":55118,"flow_stddev":11962.2,"c_to_s_min":1048,"c_to_s_avg":6014.2,"c_to_s_max":31096,"c_to_s_stddev":10003.1,"s_to_c_min":316,"s_to_c_avg":5652.0,"s_to_c_max":55118,"s_to_c_stddev":13541.6},"pktlen": {"c_to_s_min":60,"c_to_s_avg":84.4,"c_to_s_max":94,"c_to_s_stddev":13.0,"s_to_c_min":60,"s_to_c_avg":90.8,"s_to_c_max":138,"s_to_c_stddev":16.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00899{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":44,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408801393,"flow_dst_last_pkt_time":934028408801610,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":16527,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":934028408801610,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","packets-captured":95,"packets-processed":95,"total-skipped-flows":0,"total-l4-payload-len":17955,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":934028408801610} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121530/121530 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1346 chars -~~ json string avg len.......: 877 chars +~~ json string max len.......: 1319 chars +~~ json string avg len.......: 866 chars diff --git a/test/results/snapchat_call.pcapng.out b/test/results/snapchat_call.pcapng.out index e76ec6728..2a5e35c84 100644 --- a/test/results/snapchat_call.pcapng.out +++ b/test/results/snapchat_call.pcapng.out @@ -6,7 +6,7 @@ 02340{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1595865799020160,"flow_dst_last_pkt_time":1595865799037006,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1595865799037006,"pkt":"mt9Y+uvcCL6sCxduCABFAAVi60BAACUR+rISuIqOwKgMqQG7pGMFThqhw1EwNDYFw4BG53qjBuoAAAABHHnqt4ztMz51vP6XgAFSRUoABwAAAFNUSwA5AAAAU05PAG0AAABQUk9GtAAAAFNDRkc7AQAAUlJFSj8BAABTVFRMRwEAAENSVP9OBwAAbUU2ixV5Jj1qHEQQZYOHtdotUTPKCy0omzKN6SE7STZ4\/rKMxZ9\/rrj8l9tx+PhU9mRQzeJZ+1Dabp0JaMw4Ax2lLo8wBUBdtg1GpS3urBIhqVx\/8nRPLB1cTLrUpB570Ce5EPUwnKR9lOYP4jBFAiB3SpfbIfQpyAe+ZsA1KXWbSYFVXmlAhM9hKVIcNwAFzwIhAKINNKjm9Y0DRmywB4GeockL0Y3PJJ2PTHmxvqAl6rucU0NGRwYAAABBRUFECAAAAFNDSUQYAAAAUFVCUzsAAABLRVhTPwAAAE9CSVRHAAAARVhQWU8AAABBRVNHQ0MyMAO\/Pud+GiRqUM930xoSwNMgAAAzgoMwBXTcjfX\/uLgWESbe\/GDn3+Z5Wy5eude5hIrxK0MyNTUy3iwBeDJ0hdzKD01zAQAADAAAAHLO80MAAAAAAQEA6ggAAHi7IlF+sTNiZQCWXKx6Bk0smxcAyyAmJgFO2z2LJtgwHuFZfF6JuflcqgEXGwewWDpny8LMbOCDWiSJGghD0i2PS2Z6Jqg4ACVbQzWg\/8FJRBYu7OrsjFmUAwsFIwNgXkJkLSMjUNYyNAJzDVJQbYOmUQ5hLmdg+knLL8rLTIQ5gV2YJzgxryRRwTc\/Dxh4hkIGAhCXcQbnJRZAMhNUKTMPj5YeMFhzMstS9TLzDSKBwuxgHzIxQr3KzMjO7MTA0igTPiXBhk\/onni666rTEwW2GV7P0HIt5RAIXKgqHG0lyz+LaQ37Sb9X68wmMzzfpJMbI+6\/war2EINr2z3pHSav6hc3MccaNDFHokTO4rnP5H\/esvQ\/kPdi4umpS28ZPuKaj1RHBL7\/ujNAPVOn37WS752O83bRN1k7DJRB0oIsMgZSTShub+JC8gdKYcjeQKjszISUlUkGCQZ6C3QWaLVpIMpKY72UTKR8UVycnKibmpysm24IrtEw1JvgV+8DKQhdDZyBxSOkYfA3h5ERX\/GLYp5zQLABBxtbeiMPMIEaVCPltXyDXNx5DdkMA1ekvGYJc3kiSLoY1TJYkgWmWEiCRSp3StBqrCbGWjYucEl5rZKJhYmliTEXiDMZ0xnKGNyWhr4u\/TVRwWDros7ML59rBXUcS\/b99dzRuvrTn4J\/ue4MDIyF97xNnBgYWJgZ3A1cmRQZZl+WnuB1dsnif3fPXLu66NVPttQQNgnXFyeSpjbviVMPvsSkkKnJ8SbX7sSrj30mcX6\/VAWXm72+rLYpIjtI\/4Pe2rlv1IH2Krm6skeGqoRNs1+o\/\/F7btsDZbXktQe862OPNcfkPeJngtqrDrdXwUB1507jl12PbQL\/ybLt+9VWcsd2\/4OdQYxPekSfzHnGdBnksoD\/k8V3L9Lbv0bDO\/WlV93k58q8IeJ7Shd\/k5gaMNlDhaGUIXDxhq9\/GSvnhOXuMK\/o51lSdUZa\/fT3eR1Os3j\/XelmfQq11x5sr5uBC5NC2tpbFwyfLJZe8nnhYvF5pYurJx\/i93xZwbWvt+mx29md\/5kUgrJ0vgl\/6lq870XJzFvZL9lvZZeX8D\/9s4v3bXp609M\/CshlE3Mmg0EakyHDDbOtMsq6skVXu5mVPu76eNXwNe+pKj\/OfovXBece+Cifdpz8TnOjJcPFhjtTSzUqxSSAWrZv6p0iOl+y6nXK3m9XXNa84pm1qPWQefDM"} 02314{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1595865799020160,"flow_dst_last_pkt_time":1595865799037074,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1595865799037074,"pkt":"mt9Y+uvcCL6sCxduCABFAAVi60FAACUR+rESuIqOwKgMqQG7pGMFTlWjw1EwNDYFw4BG53qjBuoAAAACYTy54mZ50XnS5MjxpAEFJgJoF8maXr+sg1zn\/py4s01uT+X8o3fm32Z\/27aBGVRqMq8xaGKaAi01uU5r7HKLe2rJUVZS8PnsMSHkxhwPsDGXSFTBCa1buYUF0POAoYKBHKRMFYfrgNSNCkH5+SWw9rKxgbGBBbT4BJamyFwql91lwAIWXmqyajeyMCgxJzGwPOJwelV+Q+XeAp2UJcLnHOYoF61k4uIzt1c029EbLPLt6sSp3p+nMfUWyh25cXr5\/Lj3C57VR00SnBac\/\/rAaft1f6Pt3VWez2LXm7Zvhf7ucIn1hUv2VljJvYi2yU4R1D5jot2zuIlREZjtZA2E4BmRw4ANSDEBW4soJSBjm4EJUkmhYaBGZEnhBCkYrUGNuQWmC4zbDHEWjLAggsQEKCIgzRMDW0iJZwas2ozYWIBMBpIKO0R1gLW2QK5OmO8FmIZd9Nmd9mHxI2npw9M32V4MRUt84P7L8a4Fzt5vSk4eXX1V3sDULG9GWLXHGtbkddWzwlXCz+T\/urc6d87xbbvenHt+qjjl9n0Wcy4Gz83289XWTuxReCHfwaf1O838hMGLS4dUlrt66L5iDPAynCJ8vzf+ltZuT5vEz5Un5qRNkpqm9aXaLGKxjqNAidTltx7bLu3uYnMtNBYwqKqaoXhXZeebOVsnsa9tPnYk60f5M9N9wvzqKZuc9ze\/LA+7zdE+xV3ka7zG+sUZPs39Cd+nNVS2ZpWpzZ3Ko8Dca\/euSiM1JW3JzeZXM0vO5vnWyrzu3XR0vZi034nPoa86LARNZAXX27Ov8M+6VCKor\/WneHv8IVFn1pxrtbeY9irN9r\/8sxwAcED2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01044{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":20,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":9,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865799615597,"flow_dst_last_pkt_time":1595865799120864,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3730,"flow_dst_tot_l4_payload_len":4552,"midstream":0,"thread_ts_usec":1595865799615597,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","quic": {}}} -01517{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865802042641,"flow_dst_last_pkt_time":1595865802853531,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3902,"flow_dst_tot_l4_payload_len":5824,"midstream":0,"thread_ts_usec":1595865802853531,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":62111568.0,"flow_max":1980714352,"flow_stddev":344591456.0,"c_to_s_min":7,"c_to_s_avg":123983552.0,"c_to_s_max":1980714352,"c_to_s_stddev":479405952.0,"s_to_c_min":16,"s_to_c_avg":239585.7,"s_to_c_max":1447282,"s_to_c_stddev":434188.8},"pktlen": {"c_to_s_min":70,"c_to_s_avg":285.9,"c_to_s_max":1392,"c_to_s_stddev":438.5,"s_to_c_min":62,"s_to_c_avg":406.0,"s_to_c_max":1392,"s_to_c_stddev":489.4}},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01500{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865802042641,"flow_dst_last_pkt_time":1595865802853531,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3902,"flow_dst_tot_l4_payload_len":5824,"midstream":0,"thread_ts_usec":1595865802853531,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":221156.5,"flow_max":1447282,"flow_stddev":397282.2,"c_to_s_min":7,"c_to_s_avg":201498.7,"c_to_s_max":1172660,"c_to_s_stddev":352635.6,"s_to_c_min":16,"s_to_c_avg":239585.7,"s_to_c_max":1447282,"s_to_c_stddev":434188.8},"pktlen": {"c_to_s_min":70,"c_to_s_avg":285.9,"c_to_s_max":1392,"c_to_s_stddev":438.5,"s_to_c_min":62,"s_to_c_avg":406.0,"s_to_c_max":1392,"s_to_c_stddev":489.4}},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01065{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":50,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":25,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865807298358,"flow_dst_last_pkt_time":1595865807311868,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4245,"flow_dst_tot_l4_payload_len":6427,"midstream":0,"thread_ts_usec":1595865807311868,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":50,"source":"snapchat_call.pcapng","alias":"nDPId-test","packets-captured":50,"packets-processed":50,"total-skipped-flows":0,"total-l4-payload-len":10672,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1595865807311868} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/softether.pcap.out b/test/results/softether.pcap.out index b388e2042..abfe1059a 100644 --- a/test/results/softether.pcap.out +++ b/test/results/softether.pcap.out @@ -54,7 +54,7 @@ 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":116,"source":"softether.pcap","alias":"nDPId-test","packets-captured":116,"packets-processed":115,"total-skipped-flows":0,"total-l4-payload-len":9429,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":6,"total-updates":3,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":54,"global_ts_usec":1657906301393000} 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":118,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":8,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657906301393000,"flow_dst_last_pkt_time":1657906301648000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":488,"flow_dst_tot_l4_payload_len":524,"midstream":0,"thread_ts_usec":1657906301648000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00563{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":131,"source":"softether.pcap","alias":"nDPId-test","packets-captured":131,"packets-processed":130,"total-skipped-flows":0,"total-l4-payload-len":10412,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":6,"total-updates":4,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":56,"global_ts_usec":1657907318692000} -01387{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":257000,"flow_avg":71184248.0,"flow_max":1566080232,"flow_stddev":484398528.0,"c_to_s_min":5427000,"c_to_s_avg":226837056.0,"c_to_s_max":1540291232,"c_to_s_stddev":456899520.0,"s_to_c_min":257000,"s_to_c_avg":181108896.0,"s_to_c_max":1566080232,"s_to_c_stddev":428569632.0},"pktlen": {"c_to_s_min":43,"c_to_s_avg":99.4,"c_to_s_max":522,"c_to_s_stddev":154.3,"s_to_c_min":70,"s_to_c_avg":110.0,"s_to_c_max":370,"s_to_c_stddev":102.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01387{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":257000,"flow_avg":36711136.0,"flow_max":1566080232,"flow_stddev":451865472.0,"c_to_s_min":5427000,"c_to_s_avg":169773696.0,"c_to_s_max":1540291232,"c_to_s_stddev":407981152.0,"s_to_c_min":257000,"s_to_c_avg":181108896.0,"s_to_c_max":1566080232,"s_to_c_stddev":428569632.0},"pktlen": {"c_to_s_min":43,"c_to_s_avg":99.4,"c_to_s_max":522,"c_to_s_stddev":154.3,"s_to_c_min":70,"s_to_c_avg":110.0,"s_to_c_max":370,"s_to_c_stddev":102.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":133,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00563{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":146,"source":"softether.pcap","alias":"nDPId-test","packets-captured":146,"packets-processed":145,"total-skipped-flows":0,"total-l4-payload-len":11395,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":6,"total-updates":5,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":59,"global_ts_usec":1657959489569000} 00917{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":148,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":22,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657959489569000,"flow_dst_last_pkt_time":1657959489824000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":1462,"flow_dst_tot_l4_payload_len":1516,"midstream":0,"thread_ts_usec":1657959489824000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} diff --git a/test/results/ssh.pcap.out b/test/results/ssh.pcap.out index e39753349..0ba0d545e 100644 --- a/test/results/ssh.pcap.out +++ b/test/results/ssh.pcap.out @@ -9,7 +9,7 @@ 01252{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464768726,"flow_dst_last_pkt_time":1320435464768382,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":21,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":21,"flow_dst_tot_l4_payload_len":21,"midstream":0,"thread_ts_usec":1320435464768726,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"","hassh_server":""}}} 01286{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464769196,"flow_dst_last_pkt_time":1320435464769170,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":925,"flow_dst_tot_l4_payload_len":21,"midstream":0,"thread_ts_usec":1320435464769196,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"21B457A327CE7A2D4FCE5EF2C42400BD","hassh_server":""}}} 01321{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464769196,"flow_dst_last_pkt_time":1320435464770779,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":925,"flow_dst_tot_l4_payload_len":805,"midstream":0,"thread_ts_usec":1320435464770779,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"21B457A327CE7A2D4FCE5EF2C42400BD","hassh_server":"B1C6C0D56317555B85C7005A3DE29325"}}} -01618{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435472330349,"flow_dst_last_pkt_time":1320435469423179,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":1885,"midstream":0,"thread_ts_usec":1320435472330349,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":113012896.0,"flow_max":3604179620,"flow_stddev":627032640.0,"c_to_s_min":41,"c_to_s_avg":200652752.0,"c_to_s_max":3604179620,"c_to_s_stddev":825476992.0,"s_to_c_min":26,"s_to_c_avg":333066.8,"s_to_c_max":2632557,"s_to_c_stddev":796238.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":150.5,"c_to_s_max":970,"c_to_s_stddev":205.3,"s_to_c_min":66,"s_to_c_avg":201.2,"s_to_c_max":850,"s_to_c_stddev":255.8}},"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +01600{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435472330349,"flow_dst_last_pkt_time":1320435469423179,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":1885,"midstream":0,"thread_ts_usec":1320435472330349,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":26,"flow_avg":394614.2,"flow_max":2907110,"flow_stddev":888738.9,"c_to_s_min":41,"c_to_s_avg":445300.3,"c_to_s_max":2907110,"c_to_s_stddev":955261.1,"s_to_c_min":26,"s_to_c_avg":333066.8,"s_to_c_max":2632557,"s_to_c_stddev":796238.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":150.5,"c_to_s_max":970,"c_to_s_stddev":205.3,"s_to_c_min":66,"s_to_c_avg":201.2,"s_to_c_max":850,"s_to_c_stddev":255.8}},"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01168{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":258,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":159,"flow_dst_packets_processed":99,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435713237065,"flow_dst_last_pkt_time":1320435713237024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":5109,"flow_dst_tot_l4_payload_len":13389,"midstream":0,"thread_ts_usec":1320435713237065,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00559{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":258,"source":"ssh.pcap","alias":"nDPId-test","packets-captured":258,"packets-processed":258,"total-skipped-flows":0,"total-l4-payload-len":18498,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1320435713237065} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -25,5 +25,5 @@ ~~ total allocations/frees...: 121696/121696 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1623 chars -~~ json string avg len.......: 1025 chars +~~ json string max len.......: 1605 chars +~~ json string avg len.......: 1018 chars diff --git a/test/results/starcraft_battle.pcap.out b/test/results/starcraft_battle.pcap.out index 05dfdb751..951c78650 100644 --- a/test/results/starcraft_battle.pcap.out +++ b/test/results/starcraft_battle.pcap.out @@ -73,7 +73,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1437389964848564,"flow_dst_last_pkt_time":1437389964848509,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389964848564,"pkt":"hCYVPnXEIImEa8W6CABFAAAoFwpAAIAG68LAqAFkV\/jd\/g20AFApaAexwNDY71AQBADa8wAA"} 01219{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964848660,"flow_dst_last_pkt_time":1437389964848509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389964848660,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"llnw.blizzard.com","http": {"url":"llnw.blizzard.com\/sc2-pod-retail\/AF11CD00\/EU\/24621.direct\/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil","code":0,"content_type":"","user_agent":"Blizzard Web Client"}}} 01374{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964848660,"flow_dst_last_pkt_time":1437389964921004,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1437389964921004,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"llnw.blizzard.com","http": {"url":"llnw.blizzard.com\/sc2-pod-retail\/AF11CD00\/EU\/24621.direct\/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil","code":200,"content_type":"application\/octet-stream","user_agent":"Blizzard Web Client"}}} -01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964979632,"flow_dst_last_pkt_time":1437389964979854,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":20440,"midstream":0,"thread_ts_usec":1437389964979854,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":74,"flow_avg":13020.0,"flow_max":72387,"flow_stddev":23762.6,"c_to_s_min":74,"c_to_s_avg":14202.2,"c_to_s_max":72387,"c_to_s_stddev":25091.3,"s_to_c_min":91,"s_to_c_avg":11837.7,"s_to_c_max":58244,"s_to_c_stddev":22292.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":66.4,"c_to_s_max":241,"c_to_s_stddev":45.2,"s_to_c_min":60,"s_to_c_avg":1332.6,"s_to_c_max":1514,"s_to_c_stddev":479.9}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964979632,"flow_dst_last_pkt_time":1437389964979854,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":20440,"midstream":0,"thread_ts_usec":1437389964979854,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":74,"flow_avg":12212.4,"flow_max":72387,"flow_stddev":23706.7,"c_to_s_min":74,"c_to_s_avg":12612.1,"c_to_s_max":72387,"c_to_s_stddev":25121.5,"s_to_c_min":91,"s_to_c_avg":11837.7,"s_to_c_max":58244,"s_to_c_stddev":22292.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":66.4,"c_to_s_max":241,"c_to_s_stddev":45.2,"s_to_c_min":60,"s_to_c_avg":1332.6,"s_to_c_max":1514,"s_to_c_stddev":479.9}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":234,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389967432431,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967432431,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389967432431,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"12.129.222.54","src_port":3512,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":234,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967432431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389967432431,"pkt":"hCYVPnXEIImEa8W6CABFAAA0U2dAAIAG+pjAqAFkDIHeNg24AFDXJA2NAAAAAIACIACvkgAAAgQFtAEDAwgBAQQC"} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":235,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967630455,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389967630455,"pkt":"IImEa8W6hCYVPnXECABFAAA0AABAAC0GoQAMgd42wKgBZABQDbj6JMXG1yQNjoASFtD4xgAAAgQFtAEBBAIBAwMH"} @@ -163,7 +163,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":335,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1437389982269189,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1437389982326953,"pkt":"IImEa8W6hCYVPnXECABFAAAsAABAADMGertQ77oVwKgBZABQDb8Q\/FwJfHOL6GASOQgOjQAAAgQFtAAA"} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":336,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1437389982327018,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389982327018,"pkt":"hCYVPnXEIImEa8W6CABFAAAoREtAAIAG6XPAqAFkUO+6FQ2\/AFB8c4voEPxcClAQ+vBkYQAA"} 01035{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":337,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389982269189,"flow_src_last_pkt_time":1437389982327086,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":200,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982327086,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.186.21","src_port":3519,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"eu.launcher.battle.net","http": {"url":"eu.launcher.battle.net\/service\/s2\/alert\/en-gb","code":0,"content_type":"","user_agent":"Battle.net Web Client"}}} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1437389982130449,"flow_src_last_pkt_time":1437389982733601,"flow_dst_last_pkt_time":1437389982710820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":743,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":1074,"midstream":0,"thread_ts_usec":1437389982733601,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"213.248.127.130","src_port":3517,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":58504.0,"flow_max":688606,"flow_stddev":124724.8,"c_to_s_min":22,"c_to_s_avg":49683.0,"c_to_s_max":688606,"c_to_s_stddev":133624.5,"s_to_c_min":24327,"s_to_c_avg":96728.5,"s_to_c_max":166321,"s_to_c_stddev":61601.3},"pktlen": {"c_to_s_min":54,"c_to_s_avg":88.8,"c_to_s_max":249,"c_to_s_stddev":47.6,"s_to_c_min":60,"s_to_c_avg":236.0,"s_to_c_max":797,"s_to_c_stddev":266.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1437389982130449,"flow_src_last_pkt_time":1437389982733601,"flow_dst_last_pkt_time":1437389982710820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":743,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":1074,"midstream":0,"thread_ts_usec":1437389982733601,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"213.248.127.130","src_port":3517,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":22,"flow_avg":38178.2,"flow_max":166321,"flow_stddev":53269.1,"c_to_s_min":22,"c_to_s_avg":24126.1,"c_to_s_max":128649,"c_to_s_stddev":39845.5,"s_to_c_min":24327,"s_to_c_avg":96728.5,"s_to_c_max":166321,"s_to_c_stddev":61601.3},"pktlen": {"c_to_s_min":54,"c_to_s_avg":88.8,"c_to_s_max":249,"c_to_s_stddev":47.6,"s_to_c_min":60,"s_to_c_avg":236.0,"s_to_c_max":797,"s_to_c_stddev":266.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":377,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389982769377,"flow_src_last_pkt_time":1437389982769377,"flow_dst_last_pkt_time":1437389982769377,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982769377,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"5.42.180.154","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1437389982769377,"flow_dst_last_pkt_time":1437389982769377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":44,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":44,"pkt_l4_len":10,"thread_ts_usec":1437389982769377,"pkt":"hCYVPnXEIImEa8W6CABFAAAeGS0AAIARpdHAqAFkBSq0ms+aBF8ACqcOCQE="} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":378,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982769429,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982769429,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -249,7 +249,7 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":686,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1437389985925643,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389985962002,"pkt":"IImEa8W6hCYVPnXECABFAAA0AABAADkGTmQC5C5wwKgBZABQDc1+R6dFIysb3oASOQjP5wAAAgQFtAEBBAIBAwMF"} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":687,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_src_last_pkt_time":1437389985962022,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389985962022,"pkt":"hCYVPnXEIImEa8W6CABFAAAoLPpAAIAG2nXAqAFkAuQucA3NAFAjKxvefkenRlAQAQBIwAAA"} 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":688,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389985925643,"flow_src_last_pkt_time":1437389985962058,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":146,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":146,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389985962058,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3533,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"bnetcmsus-a.akamaihd.net","http": {"url":"bnetcmsus-a.akamaihd.net\/cms\/bnet_header\/mf\/MFTH8TS42HKX1430183778319.jpg","code":0,"content_type":"","user_agent":"Battle.net Web Client"}}} -01336{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":791,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1437389985891466,"flow_src_last_pkt_time":1437389985995179,"flow_dst_last_pkt_time":1437389985995168,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":26280,"midstream":0,"thread_ts_usec":1437389985995179,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":65,"flow_avg":8653.4,"flow_max":69495,"flow_stddev":16826.5,"c_to_s_min":232,"c_to_s_avg":14434.0,"c_to_s_max":69495,"c_to_s_stddev":21677.8,"s_to_c_min":65,"s_to_c_avg":5185.1,"s_to_c_max":34324,"s_to_c_stddev":11788.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":67.4,"c_to_s_max":203,"c_to_s_stddev":41.0,"s_to_c_min":60,"s_to_c_avg":1368.9,"s_to_c_max":1514,"s_to_c_stddev":435.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":791,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1437389985891466,"flow_src_last_pkt_time":1437389985995179,"flow_dst_last_pkt_time":1437389985995168,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":26280,"midstream":0,"thread_ts_usec":1437389985995179,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":65,"flow_avg":6690.8,"flow_max":34324,"flow_stddev":13000.1,"c_to_s_min":232,"c_to_s_avg":9428.5,"c_to_s_max":33880,"c_to_s_stddev":14559.6,"s_to_c_min":65,"s_to_c_avg":5185.1,"s_to_c_max":34324,"s_to_c_stddev":11788.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":67.4,"c_to_s_max":203,"c_to_s_stddev":41.0,"s_to_c_min":60,"s_to_c_avg":1368.9,"s_to_c_max":1514,"s_to_c_stddev":435.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00875{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982825686,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","ndpi": {"confidence": {"1":"Match by port"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00766{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982825686,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00877{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389961548711,"flow_src_last_pkt_time":1437389961548711,"flow_dst_last_pkt_time":1437389961598805,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"64.233.184.188","src_port":2759,"dst_port":5228,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Google","proto_id":"126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} diff --git a/test/results/stun_dtls.pcapng.out b/test/results/stun_dtls.pcapng.out index 8c22f0e17..d9f77482e 100644 --- a/test/results/stun_dtls.pcapng.out +++ b/test/results/stun_dtls.pcapng.out @@ -5,7 +5,7 @@ 00621{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"stun_dtls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1647958145472010,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":1647958145494943,"pkt":"mt9Y+uvcCL6sCxduCABFgAB4CTMAAGgRmhOO+lJjwKgMqQ2WwAEAZP2fAQEASCESpEJ3bGtZRHRGSndEMi8ABgAVVlVBazZBeTdodnVMbkxHTzp0eUd1AAAAACAACAABDpd8PUUEAAgAFMkvMxJ2ZVgNos4I+G8Cki6KP0KSgCgABEOVy9w="} 00703{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"stun_dtls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1647958145497647,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":195,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":195,"pkt_l4_len":161,"thread_ts_usec":1647958145497647,"pkt":"CL6sCxdumt9Y+uvcCABFAAC1XMZAAEARLsPAqAypjvpSY8ABDZYAoaIVFv7\/AAAAAAAAAAAAjAEAAIAAAAAAAAAAgP791X1ylaTuNVSstdiIoIYfSIMff5WF4WIe0fPoTt2GU88AAAAWwCvAL8ypzKjACcATwArAFACcAC8ANQEAAEAAFwAA\/wEAAQAACgAIAAYAHQAXABgACwACAQAAIwAAAA0AFAASBAMIBAQBBQMIBQUBCAYGAQIBAA4ABQACAAEA"} 00979{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"stun_dtls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958145516401,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":108,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":373,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1647958145516401,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":3,"num_binding_requests":2,"num_processed_pkts":3}}} -01388{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun_dtls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147569135,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2034,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147569135,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10,"flow_avg":21028252.0,"flow_max":668833018,"flow_stddev":116349384.0,"c_to_s_min":8994,"c_to_s_avg":39466476.0,"c_to_s_max":668833018,"c_to_s_stddev":157341808.0,"s_to_c_min":10,"s_to_c_avg":131592.9,"s_to_c_max":625348,"s_to_c_stddev":204093.5},"pktlen": {"c_to_s_min":107,"c_to_s_avg":161.6,"c_to_s_max":588,"c_to_s_stddev":109.7,"s_to_c_min":76,"s_to_c_avg":229.1,"s_to_c_max":1240,"s_to_c_stddev":297.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01372{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun_dtls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147569135,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2034,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147569135,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10,"flow_avg":131323.2,"flow_max":835905,"flow_stddev":227053.5,"c_to_s_min":8994,"c_to_s_avg":131070.3,"c_to_s_max":835905,"c_to_s_stddev":246644.7,"s_to_c_min":10,"s_to_c_avg":131592.9,"s_to_c_max":625348,"s_to_c_stddev":204093.5},"pktlen": {"c_to_s_min":107,"c_to_s_avg":161.6,"c_to_s_max":588,"c_to_s_stddev":109.7,"s_to_c_min":76,"s_to_c_avg":229.1,"s_to_c_max":1240,"s_to_c_stddev":297.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00936{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":33,"source":"stun_dtls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147591534,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2100,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147591534,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"stun_dtls.pcapng","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":4906,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1647958147591534} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121469/121469 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 482 chars -~~ json string max len.......: 1393 chars -~~ json string avg len.......: 903 chars +~~ json string max len.......: 1377 chars +~~ json string avg len.......: 896 chars diff --git a/test/results/stun_facebook.pcapng.out b/test/results/stun_facebook.pcapng.out index 05a26ee11..b95e17bde 100644 --- a/test/results/stun_facebook.pcapng.out +++ b/test/results/stun_facebook.pcapng.out @@ -5,7 +5,7 @@ 00641{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1629291451254377,"pkt":"mt9Y+uvcCL6sCxduCABFAACER+pAAFURmuofDVY2wKgMqZxDlOsAcMgPARMAVCESpEJBSzdRUHlQSzlldVYACQAQAAAEAXVuYXV0aG9yaXplZAAVAChiYjAzMWQ2MWNjYzFiZTgyZTI0MDE0NDM1ZWQ1MmYyNmZiYTYyNDgzABQAD3R1cm5lci5mYWNlYm9vawA="} 01124{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":104,"midstream":0,"thread_ts_usec":1629291451254377,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"turner.facebook","stun": {"num_udp_pkts":2,"num_binding_requests":0,"num_processed_pkts":1}}} 00685{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1629291451258494,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":178,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":178,"pkt_l4_len":144,"thread_ts_usec":1629291451258494,"pkt":"CL6sCxdumt9Y+uvcCABFAACkVYNAAEARojHAqAypHw1WNpTrnEMAkHyWAAMAdCESpEI1elVqTVhIdmV3K3MAGQAEEQAAAAAGABBNZjJoOUhpNWFQTVJwbEYxABQAD3R1cm5lci5mYWNlYm9vawAAFQAoYmIwMzFkNjFjY2MxYmU4MmUyNDAxNDQzNWVkNTJmMjZmYmE2MjQ4MwAIABSHhqaIN2rgJVJbblyGsNjNga5wAA=="} -01519{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291458067482,"flow_dst_last_pkt_time":1629291458262623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":140,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":1496,"midstream":0,"thread_ts_usec":1629291458262623,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":131602624.0,"flow_max":4197439576,"flow_stddev":730247296.0,"c_to_s_min":195,"c_to_s_avg":247309664.0,"c_to_s_max":4197439576,"c_to_s_stddev":987533440.0,"s_to_c_min":34,"s_to_c_avg":467984.5,"s_to_c_max":5997443,"s_to_c_stddev":1483292.0},"pktlen": {"c_to_s_min":70,"c_to_s_avg":164.1,"c_to_s_max":182,"c_to_s_stddev":28.4,"s_to_c_min":86,"s_to_c_avg":141.7,"s_to_c_max":174,"s_to_c_stddev":32.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01503{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291458067482,"flow_dst_last_pkt_time":1629291458262623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":140,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":1496,"midstream":0,"thread_ts_usec":1629291458262623,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":34,"flow_avg":446593.3,"flow_max":6004359,"flow_stddev":1462539.6,"c_to_s_min":195,"c_to_s_avg":426539.1,"c_to_s_max":6004359,"c_to_s_stddev":1442525.0,"s_to_c_min":34,"s_to_c_avg":467984.5,"s_to_c_max":5997443,"s_to_c_stddev":1483292.0},"pktlen": {"c_to_s_min":70,"c_to_s_avg":164.1,"c_to_s_max":182,"c_to_s_stddev":28.4,"s_to_c_min":86,"s_to_c_avg":141.7,"s_to_c_max":174,"s_to_c_stddev":32.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01066{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":75,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":35,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291461328776,"flow_dst_last_pkt_time":1629291461336154,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":4454,"flow_dst_tot_l4_payload_len":2950,"midstream":0,"thread_ts_usec":1629291461336154,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":75,"source":"stun_facebook.pcapng","alias":"nDPId-test","packets-captured":75,"packets-processed":75,"total-skipped-flows":0,"total-l4-payload-len":7404,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1629291461336154} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -21,5 +21,5 @@ ~~ total allocations/frees...: 121511/121511 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 486 chars -~~ json string max len.......: 1524 chars -~~ json string avg len.......: 973 chars +~~ json string max len.......: 1508 chars +~~ json string avg len.......: 966 chars diff --git a/test/results/stun_signal.pcapng.out b/test/results/stun_signal.pcapng.out index 66156b50c..32a0b575b 100644 --- a/test/results/stun_signal.pcapng.out +++ b/test/results/stun_signal.pcapng.out @@ -67,10 +67,10 @@ 00590{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378136,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":1636901958378136,"pkt":"mt9Y+uvcCL6sCxduCABFSABcrnFAAAMRZTQSw4OPwKgMqe7kqDwASOO3AQEALCESpEJyRHdyaGtEci8vOWUAIAAIAAEPmHw9RVEACAAUZTe+q2TI1x26\/6LLBdUUDVZaZoOAKAAEsQfEQQ=="} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378173,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636901958378173,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8rnJAAAMRZRMSw4OPwKgMqe7kqDwAaODiAAEATCESpEJ2dFg5dWZIQUdCakMABgAJbU53cTpXSnN1AAAAwFcABAADA4SAKQAIQYCdgvFBqWUAJAAEbn8g\/wAIABSzQMYtF7YKfV2BCR2ZgRKFjKrZ7YAoAASRLc2k"} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378173,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":160,"midstream":0,"thread_ts_usec":1636901958378173,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","stun": {"num_udp_pkts":3,"num_binding_requests":2,"num_processed_pkts":3}}} -01499{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901960601813,"flow_dst_last_pkt_time":1636901960620966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":1012,"midstream":0,"thread_ts_usec":1636901960620966,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":185584.7,"flow_max":1304416,"flow_stddev":281871.7,"c_to_s_min":125,"c_to_s_avg":225749.2,"c_to_s_max":1304416,"c_to_s_stddev":329239.4,"s_to_c_min":25,"s_to_c_avg":145420.2,"s_to_c_max":679364,"s_to_c_stddev":217435.8},"pktlen": {"c_to_s_min":70,"c_to_s_avg":106.5,"c_to_s_max":146,"c_to_s_stddev":27.0,"s_to_c_min":70,"s_to_c_avg":105.2,"s_to_c_max":138,"s_to_c_stddev":22.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01497{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901960601813,"flow_dst_last_pkt_time":1636901960620966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":1012,"midstream":0,"thread_ts_usec":1636901960620966,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":149493.4,"flow_max":679364,"flow_stddev":200828.1,"c_to_s_min":125,"c_to_s_avg":153838.1,"c_to_s_max":600796,"c_to_s_stddev":181344.5,"s_to_c_min":25,"s_to_c_avg":145420.2,"s_to_c_max":679364,"s_to_c_stddev":217435.8},"pktlen": {"c_to_s_min":70,"c_to_s_avg":106.5,"c_to_s_max":146,"c_to_s_stddev":27.0,"s_to_c_min":70,"s_to_c_avg":105.2,"s_to_c_max":138,"s_to_c_stddev":22.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":208,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1636901956900169,"flow_src_last_pkt_time":1636901967279945,"flow_dst_last_pkt_time":1636901957525218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":60,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1636901967279945,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","stun": {"num_udp_pkts":2,"num_binding_requests":2,"num_processed_pkts":2}}} 01116{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1636901956921410,"flow_src_last_pkt_time":1636901967553880,"flow_dst_last_pkt_time":1636901967684533,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":96,"midstream":0,"thread_ts_usec":1636901967684533,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39950,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":3,"num_binding_requests":4,"num_processed_pkts":3}}} -01336{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901980739508,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1760,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901980739508,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":126554056.0,"flow_max":4000231900,"flow_stddev":695741824.0,"c_to_s_min":15,"c_to_s_avg":134829600.0,"c_to_s_max":4000231900,"c_to_s_stddev":717795968.0,"s_to_c_min":76,"s_to_c_avg":2421021.0,"s_to_c_max":4841966,"s_to_c_stddev":2420945.0},"pktlen": {"c_to_s_min":90,"c_to_s_avg":92.7,"c_to_s_max":98,"c_to_s_stddev":3.8,"s_to_c_min":138,"s_to_c_avg":138.0,"s_to_c_max":138,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01324{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901980739508,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1760,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901980739508,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":1596705.0,"flow_max":17079364,"flow_stddev":3547473.5,"c_to_s_min":15,"c_to_s_avg":1539855.8,"c_to_s_max":17079364,"c_to_s_stddev":3605297.8,"s_to_c_min":76,"s_to_c_avg":2421021.0,"s_to_c_max":4841966,"s_to_c_stddev":2420945.0},"pktlen": {"c_to_s_min":90,"c_to_s_avg":92.7,"c_to_s_max":98,"c_to_s_stddev":3.8,"s_to_c_min":138,"s_to_c_avg":138.0,"s_to_c_max":138,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1636901998588925,"flow_src_last_pkt_time":1636901998588925,"flow_dst_last_pkt_time":1636901998588925,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":20,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636901998588925,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47767,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1636901998588925,"flow_dst_last_pkt_time":1636901998588925,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1636901998588925,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwgdlAAEARxRXAqAyprP15f7qXS2YAHLUpAAEAACESpEJFRDdhYWpCejZ6NGY="} 01114{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1636901998588925,"flow_src_last_pkt_time":1636901998588925,"flow_dst_last_pkt_time":1636901998588925,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":20,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636901998588925,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47767,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} @@ -116,7 +116,7 @@ 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1636902000024715,"flow_dst_last_pkt_time":1636902000107063,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636902000107063,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8w7NAAAYRTNISw4OPwKgMqdMmupcAaK01AAEATCESpEJBbDNpSTF1eStSR1UABgAJN2tzczoxRVpzAAAAwFcABAAAA+eAKQAIiflXHs5q0dMAJAAEbgAg\/wAIABQSmjpLVWLcQ98KImy+h9G3RC6S1IAoAATBitk4"} 00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1636902000073738,"flow_dst_last_pkt_time":1636902000142220,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":1636902000142220,"pkt":"mt9Y+uvcCL6sCxduCABFAABcw7ZAAAYRTTcSw4OPwKgMqfA6upcASKsWAQEALCESpEI3OHB2NXh3VHhSY2IAIAAIAAEPjnw9RVEACAAUJEyhW79\/NO7EtgfmN47ncd2\/SCyAKAAE6dNIHg=="} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1636902000073738,"flow_dst_last_pkt_time":1636902000142270,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636902000142270,"pkt":"mt9Y+uvcCL6sCxduCABFAAB8w7dAAAYRTRYSw4OPwKgMqfA6upcAaP5PAAEATCESpEIwbFM2UjdmdjFzOTMABgAJN2tzczoxRVpzAAAAwFcABAADA4SAKQAIiflXHs5q0dMAJAAEbn8g\/wAIABT+u0FmMYg2qxKb1bY78Qe06uM1KoAoAAQrkPMA"} -01497{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":393,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636902000073738,"flow_src_last_pkt_time":1636902002442030,"flow_dst_last_pkt_time":1636902002440493,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1068,"flow_dst_tot_l4_payload_len":1052,"midstream":0,"thread_ts_usec":1636902002442030,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":148924.7,"flow_max":665020,"flow_stddev":187398.1,"c_to_s_min":306,"c_to_s_avg":149927.2,"c_to_s_max":665020,"c_to_s_stddev":182488.0,"s_to_c_min":43,"s_to_c_avg":147922.2,"s_to_c_max":630540,"s_to_c_stddev":192177.6},"pktlen": {"c_to_s_min":70,"c_to_s_avg":108.8,"c_to_s_max":146,"c_to_s_stddev":25.3,"s_to_c_min":70,"s_to_c_avg":107.8,"s_to_c_max":138,"s_to_c_stddev":23.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01497{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":393,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636902000073738,"flow_src_last_pkt_time":1636902002442030,"flow_dst_last_pkt_time":1636902002440493,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1068,"flow_dst_tot_l4_payload_len":1052,"midstream":0,"thread_ts_usec":1636902002442030,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":43,"flow_avg":152743.5,"flow_max":665020,"flow_stddev":189167.3,"c_to_s_min":306,"c_to_s_avg":157886.1,"c_to_s_max":665020,"c_to_s_stddev":185764.6,"s_to_c_min":43,"s_to_c_avg":147922.2,"s_to_c_max":630540,"s_to_c_stddev":192177.6},"pktlen": {"c_to_s_min":70,"c_to_s_avg":108.8,"c_to_s_max":146,"c_to_s_stddev":25.3,"s_to_c_min":70,"s_to_c_avg":107.8,"s_to_c_max":138,"s_to_c_stddev":23.9}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00931{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":11,"flow_first_seen":1636901956930390,"flow_src_last_pkt_time":1636901987891969,"flow_dst_last_pkt_time":1636901987908068,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":820,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1636902021384737,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00931{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1636901998644452,"flow_src_last_pkt_time":1636902021365208,"flow_dst_last_pkt_time":1636902021381899,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":744,"midstream":0,"thread_ts_usec":1636902021384737,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01064{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":0,"flow_first_seen":1636901956899977,"flow_src_last_pkt_time":1636901980718780,"flow_dst_last_pkt_time":1636901956899977,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":384,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636902021384737,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -155,5 +155,5 @@ ~~ total allocations/frees...: 122122/122122 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 484 chars -~~ json string max len.......: 1504 chars -~~ json string avg len.......: 994 chars +~~ json string max len.......: 1502 chars +~~ json string avg len.......: 993 chars diff --git a/test/results/teams.pcap.out b/test/results/teams.pcap.out index 50d70905a..cf8b99a2c 100644 --- a/test/results/teams.pcap.out +++ b/test/results/teams.pcap.out @@ -34,7 +34,7 @@ 01058{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676449862,"flow_dst_last_pkt_time":1587041676448366,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676449862,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01499{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676464401,"flow_dst_last_pkt_time":1587041676464459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6025,"midstream":0,"thread_ts_usec":1587041676464459,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 01177{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676499766,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01183{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":8545.0,"flow_max":73514,"flow_stddev":14548.4,"c_to_s_min":99,"c_to_s_avg":11565.8,"c_to_s_max":73514,"c_to_s_stddev":18419.5,"s_to_c_min":2,"s_to_c_avg":5879.6,"s_to_c_max":29285,"s_to_c_stddev":9159.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":106.1,"c_to_s_max":312,"c_to_s_stddev":83.9,"s_to_c_min":60,"s_to_c_avg":674.3,"s_to_c_max":1506,"s_to_c_stddev":638.6}}} +01180{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":6449.2,"flow_max":29755,"flow_stddev":8827.8,"c_to_s_min":99,"c_to_s_avg":7140.9,"c_to_s_max":29755,"c_to_s_stddev":8355.8,"s_to_c_min":2,"s_to_c_avg":5879.6,"s_to_c_max":29285,"s_to_c_stddev":9159.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":106.1,"c_to_s_max":312,"c_to_s_stddev":83.9,"s_to_c_min":60,"s_to_c_avg":674.3,"s_to_c_max":1506,"s_to_c_stddev":638.6}}} 01502{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 01813{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676545644,"flow_dst_last_pkt_time":1587041676545713,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041676545713,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":64,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041676611249} @@ -45,7 +45,7 @@ 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1587041676642755,"flow_dst_last_pkt_time":1587041676642642,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041676642755,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR5PAqAEGKH4JBex2AbukS07qokMa3IAQEAn5EwAAAQEICjCEmIFVAL3h"} 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676642642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676643404,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01123{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041676675374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} -01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":42457.9,"flow_max":364935,"flow_stddev":78705.4,"c_to_s_min":1,"c_to_s_avg":37470.3,"c_to_s_max":364935,"c_to_s_stddev":80783.8,"s_to_c_min":125,"s_to_c_avg":55204.0,"s_to_c_max":221245,"s_to_c_stddev":71563.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1071.5,"c_to_s_max":1494,"c_to_s_stddev":639.7,"s_to_c_min":66,"s_to_c_avg":539.6,"s_to_c_max":1506,"s_to_c_stddev":656.8}}} +01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":32055.5,"flow_max":221245,"flow_stddev":54144.2,"c_to_s_min":1,"c_to_s_avg":22585.6,"c_to_s_max":177198,"c_to_s_stddev":41555.6,"s_to_c_min":125,"s_to_c_avg":55204.0,"s_to_c_max":221245,"s_to_c_stddev":71563.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1071.5,"c_to_s_max":1494,"c_to_s_stddev":639.7,"s_to_c_min":66,"s_to_c_avg":539.6,"s_to_c_max":1506,"s_to_c_stddev":656.8}}} 01818{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677042751,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041677042751,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIex3AbvbPWM6AAAAALAC\/\/\/8iwAAAgQFtAEDAwUBAQgKMISaAAAAAAAEAgAA"} @@ -58,8 +58,8 @@ 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":177,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1587041677255227,"flow_dst_last_pkt_time":1587041677255126,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041677255227,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOx4Abt\/TkvWpItVFFAQIAAkOAAA"} 01059{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":178,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677255452,"flow_dst_last_pkt_time":1587041677255126,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":214,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":214,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677255452,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01500{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677269406,"flow_dst_last_pkt_time":1587041677269476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":214,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":214,"flow_dst_tot_l4_payload_len":6025,"midstream":0,"thread_ts_usec":1587041677269476,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} -01474{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":216,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677328754,"flow_dst_last_pkt_time":1587041677327352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":15383,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041677328754,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":19041.4,"flow_max":49836,"flow_stddev":21157.8,"c_to_s_min":2,"c_to_s_avg":16236.2,"c_to_s_max":49836,"c_to_s_stddev":20978.1,"s_to_c_min":21,"s_to_c_avg":23716.8,"s_to_c_max":49216,"s_to_c_stddev":20622.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":836.3,"c_to_s_max":1494,"c_to_s_stddev":677.2,"s_to_c_min":66,"s_to_c_avg":458.2,"s_to_c_max":1506,"s_to_c_stddev":595.3}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01184{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":5359.2,"flow_max":50397,"flow_stddev":9658.6,"c_to_s_min":4,"c_to_s_avg":4368.8,"c_to_s_max":13830,"c_to_s_stddev":5470.5,"s_to_c_min":3,"s_to_c_avg":6233.0,"s_to_c_max":50397,"s_to_c_stddev":12147.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":257.9,"c_to_s_max":1494,"c_to_s_stddev":412.5,"s_to_c_min":60,"s_to_c_avg":581.8,"s_to_c_max":1506,"s_to_c_stddev":641.5}}} +01474{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":216,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677328754,"flow_dst_last_pkt_time":1587041677327352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":15383,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041677328754,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":18406.6,"flow_max":49836,"flow_stddev":21194.3,"c_to_s_min":2,"c_to_s_avg":15052.8,"c_to_s_max":49836,"c_to_s_stddev":20862.3,"s_to_c_min":21,"s_to_c_avg":23716.8,"s_to_c_max":49216,"s_to_c_stddev":20622.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":836.3,"c_to_s_max":1494,"c_to_s_stddev":677.2,"s_to_c_min":66,"s_to_c_avg":458.2,"s_to_c_max":1506,"s_to_c_stddev":595.3}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} +01184{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":5148.5,"flow_max":50397,"flow_stddev":9740.5,"c_to_s_min":4,"c_to_s_avg":3831.6,"c_to_s_max":13830,"c_to_s_stddev":5266.5,"s_to_c_min":3,"s_to_c_avg":6233.0,"s_to_c_max":50397,"s_to_c_stddev":12147.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":257.9,"c_to_s_max":1494,"c_to_s_stddev":412.5,"s_to_c_min":60,"s_to_c_avg":581.8,"s_to_c_max":1506,"s_to_c_stddev":641.5}}} 01504{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":403,"source":"teams.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1587041677380886,"flow_dst_last_pkt_time":1587041673094451,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041677380886,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGPCzAqAEGlZqnW+SlAbsZTPC8DAoX91AUECaMmwAA"} 00187{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":607,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041677408485} @@ -191,7 +191,7 @@ 01068{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1212,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682744342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682744658,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01348{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1213,"source":"teams.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":3,"flow_src_last_pkt_time":1587041682740607,"flow_dst_last_pkt_time":1587041682745381,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":665,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":665,"pkt_l4_len":631,"thread_ts_usec":1587041682745381,"pkt":"EBMx8Tl2KDc3AG3ICABFAAKLAABAAEAGwL7AqAEGon0Tg+u4AbuLprsOEqsiiIAYEAA0LgAAAQEICjCEr+ORzaKrFwMDAlK2BaXSajSAVWEKj3frXxijYpT3GD2Cuos6bxaeeEb0O6UJhzmzPZI\/SWy+fgBnTfneCwusduYkx4s3F4xCn2MY3DEvpr\/P48ATzKlJ++OHqI7OI3KpokJ1bF8YwJjJpFyWkPT0\/gdDA2C0thwexYlLgVCHe4dECfAKO3ai6a9AkpIGftSCmWnSsB7\/GodcDd1wDIWHn+mS6A9bTO\/2sRCfLQjmwaqnM\/0Kd1DorrQMm9TT6\/w11NzOyGJGqVRWfthWKCJ2r5CEFaogXR64MxPpr2FM6spcuDUY4C3Hc53Q7uc97BndljPBEgsGGu2WIs1hpBKyBrbp4cakeWFrgRHILDge\/JLjoB\/we0ie6rPfHdzAzbH+CVHboc7ECVvIV6N2Rd\/z5fI6cJ5y1i\/CGpe9JS\/DjF+npNlL3gVvBs3y7VpT4ziTRBRlbzG6hzfaYWVE\/I1GNwloup0kRP0\/\/fFg59buQBmTxdHJsfm4laPDQEGg2\/E9TD5wbcmagME1tYB8Z6HaDDAe1MbrBXtLSM8VMS0ZeI23LZfgw6dIscXGQh+EZCVohYQ2K\/dCOtZqYIGlXsZd11O+bX\/KPVaVnsGCQqimWVbYkJXTdkE5fdL4ibwUdj8vI7+8IXUv8oArxAdVEWB2+pth6d9Zti7C4SxMlmajA50jkJHElO8G4w6Wzb86qkyK4WbkuYLazUSRxEvrQrVtZjtDDcEAhbB3i\/CCiXoyK9403MAI7UV+NXn0+Iqmacnoi+GSVKkccDjbrlFQ3qxHSBpnh\/Zt22FSB4TV4eA="} 01082{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1228,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1587041682792228,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} -01195{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":27105.4,"flow_max":152917,"flow_stddev":39979.7,"c_to_s_min":2,"c_to_s_avg":20660.3,"c_to_s_max":152917,"c_to_s_stddev":42854.1,"s_to_c_min":124,"s_to_c_avg":39409.8,"s_to_c_max":86231,"s_to_c_stddev":30217.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1032.8,"c_to_s_max":1494,"c_to_s_stddev":653.6,"s_to_c_min":66,"s_to_c_avg":453.5,"s_to_c_max":1506,"s_to_c_stddev":621.5}}} +01195{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":27969.4,"flow_max":152917,"flow_stddev":40324.3,"c_to_s_min":2,"c_to_s_avg":21677.2,"c_to_s_max":152917,"c_to_s_stddev":43664.4,"s_to_c_min":124,"s_to_c_avg":39409.8,"s_to_c_max":86231,"s_to_c_stddev":30217.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":1032.8,"c_to_s_max":1494,"c_to_s_stddev":653.6,"s_to_c_min":66,"s_to_c_avg":453.5,"s_to_c_max":1506,"s_to_c_stddev":621.5}}} 01821{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1249,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682809173,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1249,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041682809173,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG+gHAqAEGp2PXpOyCEVImrEWfAAAAALAC\/\/+rgAAAAgQFtAEDAwUBAQgKMISwIQAAAAAEAgAA"} @@ -199,7 +199,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1299,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1587041682862738,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041682862738,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+g3AqAEGp2PXpOyCEVImrEWgy3y3uIAQECwqYQAAAQEICjCEsFATeRnV"} 01237{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1300,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682863165,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682863165,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"dati.ntop.org","tls": {"version":"TLSv1.2","ja3":"7120d65624bcd2e02ed4b01388d84cdb","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01295{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1345,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682863165,"flow_dst_last_pkt_time":1587041682917561,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":152,"midstream":0,"thread_ts_usec":1587041682917561,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"dati.ntop.org","tls": {"version":"TLSv1.2","ja3":"7120d65624bcd2e02ed4b01388d84cdb","ja3s":"410b9bedaf65dd26c6fe547154d60db4","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1439,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041683063920,"flow_dst_last_pkt_time":1587041683109441,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2687,"flow_dst_tot_l4_payload_len":6860,"midstream":0,"thread_ts_usec":1587041683109441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":25194.2,"flow_max":201410,"flow_stddev":46333.1,"c_to_s_min":7,"c_to_s_avg":20813.9,"c_to_s_max":201410,"c_to_s_stddev":45456.8,"s_to_c_min":30,"s_to_c_avg":31596.3,"s_to_c_max":167536,"s_to_c_stddev":46853.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":197.3,"c_to_s_max":1494,"c_to_s_stddev":326.2,"s_to_c_min":60,"s_to_c_avg":583.5,"s_to_c_max":1506,"s_to_c_stddev":630.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1439,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041683063920,"flow_dst_last_pkt_time":1587041683109441,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2687,"flow_dst_tot_l4_payload_len":6860,"midstream":0,"thread_ts_usec":1587041683109441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":25031.7,"flow_max":201410,"flow_stddev":47065.5,"c_to_s_min":7,"c_to_s_avg":20290.6,"c_to_s_max":201410,"c_to_s_stddev":46646.7,"s_to_c_min":30,"s_to_c_avg":31596.3,"s_to_c_max":167536,"s_to_c_stddev":46853.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":197.3,"c_to_s_max":1494,"c_to_s_stddev":326.2,"s_to_c_min":60,"s_to_c_avg":583.5,"s_to_c_max":1506,"s_to_c_stddev":630.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041683142905,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041683142905,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1587041683142905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABOVgkAAP8R4j3AqAEGwKgBAeCgADUAOmwyTTEBAAABAAAAAAAACmNoYXRzdmNhZ2cEc3ZjcwV0ZWFtcwZvZmZpY2UDY29tAAABAAE="} 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041683142905,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041683142905,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"chatsvcagg.svcs.teams.office.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -218,7 +218,7 @@ 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041683406443} 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041683396534,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01816{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1503,"source":"teams.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041683333389,"flow_src_last_pkt_time":1587041683430891,"flow_dst_last_pkt_time":1587041683431072,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041683431072,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60548,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} -01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1516,"source":"teams.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041683186164,"flow_src_last_pkt_time":1587041683511604,"flow_dst_last_pkt_time":1587041683511700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2582,"flow_dst_tot_l4_payload_len":7792,"midstream":0,"thread_ts_usec":1587041683511700,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.88.59","src_port":60547,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":21694.8,"flow_max":115070,"flow_stddev":30877.3,"c_to_s_min":7,"c_to_s_avg":20483.3,"c_to_s_max":115070,"c_to_s_stddev":32702.2,"s_to_c_min":2,"s_to_c_avg":23252.6,"s_to_c_max":80440,"s_to_c_stddev":28283.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":210.8,"c_to_s_max":1494,"c_to_s_stddev":333.9,"s_to_c_min":66,"s_to_c_avg":623.1,"s_to_c_max":1506,"s_to_c_stddev":618.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1516,"source":"teams.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041683186164,"flow_src_last_pkt_time":1587041683511604,"flow_dst_last_pkt_time":1587041683511700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2582,"flow_dst_tot_l4_payload_len":7792,"midstream":0,"thread_ts_usec":1587041683511700,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.88.59","src_port":60547,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":20999.2,"flow_max":115070,"flow_stddev":31123.6,"c_to_s_min":7,"c_to_s_avg":19143.5,"c_to_s_max":115070,"c_to_s_stddev":33166.7,"s_to_c_min":2,"s_to_c_avg":23252.6,"s_to_c_max":80440,"s_to_c_stddev":28283.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":210.8,"c_to_s_max":1494,"c_to_s_stddev":333.9,"s_to_c_min":66,"s_to_c_avg":623.1,"s_to_c_max":1506,"s_to_c_stddev":618.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041683611241} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041683605577,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1685,"source":"teams.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041684291077,"flow_src_last_pkt_time":1587041684291077,"flow_dst_last_pkt_time":1587041684291077,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041684291077,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":59403,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -232,11 +232,11 @@ 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1698,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_src_last_pkt_time":1587041684317725,"flow_dst_last_pkt_time":1587041684317619,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041684317725,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGWazAqAEGDWsSC+yFAbvNnLiaNd4cNVAQIADoJAAA"} 01073{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1699,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684317987,"flow_dst_last_pkt_time":1587041684317619,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041684317987,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 02016{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1722,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684362150,"flow_dst_last_pkt_time":1587041684362335,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":4396,"midstream":0,"thread_ts_usec":1587041684362335,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} -01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":141945.3,"flow_max":2009785,"flow_stddev":482337.9,"c_to_s_min":4,"c_to_s_avg":145685.6,"c_to_s_max":1998116,"c_to_s_stddev":495845.6,"s_to_c_min":3,"s_to_c_avg":138645.0,"s_to_c_max":2009785,"s_to_c_stddev":470072.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":144.2,"c_to_s_max":575,"c_to_s_stddev":146.8,"s_to_c_min":60,"s_to_c_avg":473.7,"s_to_c_max":1506,"s_to_c_stddev":585.3}}} +01201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":146055.7,"flow_max":2009785,"flow_stddev":489503.9,"c_to_s_min":4,"c_to_s_avg":155054.4,"c_to_s_max":1998116,"c_to_s_stddev":511964.8,"s_to_c_min":3,"s_to_c_avg":138645.0,"s_to_c_max":2009785,"s_to_c_stddev":470072.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":144.2,"c_to_s_max":575,"c_to_s_stddev":146.8,"s_to_c_min":60,"s_to_c_avg":473.7,"s_to_c_max":1506,"s_to_c_stddev":585.3}}} 01555{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041684611243} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041684501226,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} -01190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":23861.1,"flow_max":539594,"flow_stddev":93127.7,"c_to_s_min":6,"c_to_s_avg":36627.6,"c_to_s_max":539594,"c_to_s_stddev":122424.4,"s_to_c_min":1,"s_to_c_avg":7446.9,"s_to_c_max":32500,"s_to_c_stddev":8633.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":248.2,"c_to_s_max":1494,"c_to_s_stddev":353.8,"s_to_c_min":60,"s_to_c_avg":470.6,"s_to_c_max":1506,"s_to_c_stddev":569.0}}} +01190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":24145.7,"flow_max":539594,"flow_stddev":94604.1,"c_to_s_min":6,"c_to_s_avg":37897.6,"c_to_s_max":539594,"c_to_s_stddev":125858.4,"s_to_c_min":1,"s_to_c_avg":7446.9,"s_to_c_max":32500,"s_to_c_stddev":8633.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":248.2,"c_to_s_max":1494,"c_to_s_stddev":353.8,"s_to_c_min":60,"s_to_c_avg":470.6,"s_to_c_max":1506,"s_to_c_stddev":569.0}}} 02020{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1587041685090830,"pkt":"EBMx8Tl2KDc3AG3ICABFAABJHhYAAP8RGjbAqAEGwKgBAe89ADUANcKVVKoBAAABAAAAAAAABGV1YXoCdHIFdGVhbXMJbWljcm9zb2Z0A2NvbQAAAQAB"} @@ -300,7 +300,7 @@ 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041685406369} 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041685403983,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01691{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1908,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1587041685106192,"flow_src_last_pkt_time":1587041685420065,"flow_dst_last_pkt_time":1587041685420103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":5962,"midstream":0,"thread_ts_usec":1587041685420103,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"trouter2-asse-a.trouter.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","subjectDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}}} -01196{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":21459.7,"flow_max":227998,"flow_stddev":51093.7,"c_to_s_min":25,"c_to_s_avg":32657.3,"c_to_s_max":227998,"c_to_s_stddev":66492.5,"s_to_c_min":3,"s_to_c_avg":12750.4,"s_to_c_max":140399,"s_to_c_stddev":32076.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":157.6,"c_to_s_max":1136,"c_to_s_stddev":276.4,"s_to_c_min":60,"s_to_c_avg":943.6,"s_to_c_max":1506,"s_to_c_stddev":686.8}}} +01196{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":14797.2,"flow_max":153955,"flow_stddev":35697.7,"c_to_s_min":25,"c_to_s_avg":17631.1,"c_to_s_max":153955,"c_to_s_stddev":40004.2,"s_to_c_min":3,"s_to_c_avg":12750.4,"s_to_c_max":140399,"s_to_c_stddev":32076.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":157.6,"c_to_s_max":1136,"c_to_s_stddev":276.4,"s_to_c_min":60,"s_to_c_avg":943.6,"s_to_c_max":1506,"s_to_c_stddev":686.8}}} 01656{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041685611278} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041685546646,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} @@ -316,7 +316,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2045,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":3,"flow_src_last_pkt_time":1587041686288255,"flow_dst_last_pkt_time":1587041686288146,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041686288255,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIeyPAbtgh2e+U\/RRNYAQEAkdGQAAAQEICjCEvUBhH1u7"} 01180{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2046,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686288562,"flow_dst_last_pkt_time":1587041686288146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041686288562,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2047,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686288562,"flow_dst_last_pkt_time":1587041686339149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041686339149,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2074,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686542441,"flow_dst_last_pkt_time":1587041686541501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":14115,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041686542441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":24345.4,"flow_max":174202,"flow_stddev":34662.7,"c_to_s_min":2,"c_to_s_avg":22719.0,"c_to_s_max":174202,"c_to_s_stddev":39946.4,"s_to_c_min":89,"s_to_c_avg":27450.5,"s_to_c_max":51003,"s_to_c_stddev":20838.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":739.3,"c_to_s_max":1494,"c_to_s_stddev":681.6,"s_to_c_min":66,"s_to_c_avg":493.9,"s_to_c_max":1506,"s_to_c_stddev":609.3}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} +01476{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2074,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686542441,"flow_dst_last_pkt_time":1587041686541501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":14115,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041686542441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":19511.4,"flow_max":52987,"flow_stddev":22191.7,"c_to_s_min":2,"c_to_s_avg":15144.8,"c_to_s_max":52987,"c_to_s_stddev":21697.3,"s_to_c_min":89,"s_to_c_avg":27450.5,"s_to_c_max":51003,"s_to_c_stddev":20838.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":739.3,"c_to_s_max":1494,"c_to_s_stddev":681.6,"s_to_c_min":66,"s_to_c_avg":493.9,"s_to_c_max":1506,"s_to_c_stddev":609.3}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2076,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041686611252} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2076,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041686589907,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2077,"source":"teams.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041686659283,"flow_src_last_pkt_time":1587041686659283,"flow_dst_last_pkt_time":1587041686659283,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041686659283,"l3_proto":"ip4","src_ip":"192.168.1.112","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -348,7 +348,7 @@ 01816{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2226,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687544052,"flow_dst_last_pkt_time":1587041687544137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":412,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041687544137,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041687611308} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041687600094,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} -01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2258,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041687725655,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":20123.8,"flow_max":125561,"flow_stddev":32306.2,"c_to_s_min":4,"c_to_s_avg":18693.4,"c_to_s_max":125561,"c_to_s_stddev":31198.2,"s_to_c_min":3,"s_to_c_avg":22214.3,"s_to_c_max":125513,"s_to_c_stddev":33751.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":183.4,"c_to_s_max":1379,"c_to_s_stddev":296.7,"s_to_c_min":66,"s_to_c_avg":616.1,"s_to_c_max":1506,"s_to_c_stddev":612.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2258,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041687725655,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":18634.2,"flow_max":125561,"flow_stddev":31723.1,"c_to_s_min":4,"c_to_s_avg":16048.5,"c_to_s_max":125561,"c_to_s_stddev":29908.0,"s_to_c_min":3,"s_to_c_avg":22214.3,"s_to_c_max":125513,"s_to_c_stddev":33751.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":183.4,"c_to_s_max":1379,"c_to_s_stddev":296.7,"s_to_c_min":66,"s_to_c_avg":616.1,"s_to_c_max":1506,"s_to_c_stddev":612.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687731296,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1587041687731296,"pkt":"EBMx8Tl2KDc3AG3ICABFAABM83AAAP8RRNjAqAEGwKgBAfUPADUAOAAFY+UBAAABAAAAAAAABmV1bm8tMQNhcGkPbWljcm9zb2Z0c3RyZWFtA2NvbQAAAQAB"} 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687731296,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"euno-1.api.microsoftstream.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -356,7 +356,7 @@ 01024{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2260,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687745080,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":183,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1587041687745080,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"euno-1.api.microsoftstream.com","dns": {"num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.169.186.119"}}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687745932,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687745932,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041687745932,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGienAqAEGNKm6d+yTAbth0wzHAAAAALAC\/\/81+QAAAgQFtAEDAwUBAQgKMITCxwAAAAAEAgAA"} -01195{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":31798.8,"flow_max":161774,"flow_stddev":43677.1,"c_to_s_min":2,"c_to_s_avg":24708.4,"c_to_s_max":161774,"c_to_s_stddev":41632.6,"s_to_c_min":129,"s_to_c_avg":43616.2,"s_to_c_max":136486,"s_to_c_stddev":44440.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":947.8,"c_to_s_max":1494,"c_to_s_stddev":669.4,"s_to_c_min":66,"s_to_c_avg":422.2,"s_to_c_max":1506,"s_to_c_stddev":604.0}}} +01195{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":32165.6,"flow_max":161774,"flow_stddev":44327.4,"c_to_s_min":2,"c_to_s_avg":24933.6,"c_to_s_max":161774,"c_to_s_stddev":42702.2,"s_to_c_min":129,"s_to_c_avg":43616.2,"s_to_c_max":136486,"s_to_c_stddev":44440.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":947.8,"c_to_s_max":1494,"c_to_s_stddev":669.4,"s_to_c_min":66,"s_to_c_avg":422.2,"s_to_c_max":1506,"s_to_c_stddev":604.0}}} 01821{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041687789261,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GLFAAGwGRTw0qbp3wKgBBgG77JMQ1B2QYdMMyKASIACACgAAAgQFoAEDAwgEAggKASJ3bTCEwsc="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1587041687789367,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041687789367,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGifXAqAEGNKm6d+yTAbth0wzIENQdkYAQEAm+kQAAAQEICjCEwvABIndt"} @@ -393,10 +393,10 @@ 01085{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691169247,"flow_dst_last_pkt_time":1587041691190981,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041691190981,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"emea.ng.msg.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2416,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041691410839} 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":2416,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041691399733,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2417,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691305451,"flow_dst_last_pkt_time":1587041691582252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":994,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2028,"flow_dst_tot_l4_payload_len":8121,"midstream":0,"thread_ts_usec":1587041691582252,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":20689.4,"flow_max":276869,"flow_stddev":49643.2,"c_to_s_min":3,"c_to_s_avg":12754.6,"c_to_s_max":73905,"c_to_s_stddev":20955.6,"s_to_c_min":14,"s_to_c_avg":30891.3,"s_to_c_max":276869,"s_to_c_stddev":69881.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":180.0,"c_to_s_max":1060,"c_to_s_stddev":242.7,"s_to_c_min":66,"s_to_c_avg":646.6,"s_to_c_max":1506,"s_to_c_stddev":633.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2417,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691305451,"flow_dst_last_pkt_time":1587041691582252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":994,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2028,"flow_dst_tot_l4_payload_len":8121,"midstream":0,"thread_ts_usec":1587041691582252,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":18972.7,"flow_max":276869,"flow_stddev":49493.9,"c_to_s_min":3,"c_to_s_avg":9157.5,"c_to_s_max":62106,"c_to_s_stddev":15233.7,"s_to_c_min":14,"s_to_c_avg":30891.3,"s_to_c_max":276869,"s_to_c_stddev":69881.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":180.0,"c_to_s_max":1060,"c_to_s_stddev":242.7,"s_to_c_min":66,"s_to_c_avg":646.6,"s_to_c_max":1506,"s_to_c_stddev":633.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2419,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041691611256} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2419,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041691582349,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} -01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2430,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1587041682376166,"flow_src_last_pkt_time":1587041682938651,"flow_dst_last_pkt_time":1587041692001418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1060,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":7396,"midstream":0,"thread_ts_usec":1587041692001418,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":318444.4,"flow_max":8978171,"flow_stddev":1558466.1,"c_to_s_min":4,"c_to_s_avg":35310.6,"c_to_s_max":403234,"c_to_s_stddev":96296.9,"s_to_c_min":2,"s_to_c_avg":601578.2,"s_to_c_max":8978171,"s_to_c_stddev":2165186.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":188.3,"c_to_s_max":1114,"c_to_s_stddev":274.5,"s_to_c_min":60,"s_to_c_avg":518.1,"s_to_c_max":1506,"s_to_c_stddev":585.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +01353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2430,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1587041682376166,"flow_src_last_pkt_time":1587041682938651,"flow_dst_last_pkt_time":1587041692001418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1060,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":7396,"midstream":0,"thread_ts_usec":1587041692001418,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":328636.7,"flow_max":8978171,"flow_stddev":1582353.1,"c_to_s_min":4,"c_to_s_avg":37499.0,"c_to_s_max":403234,"c_to_s_stddev":99069.0,"s_to_c_min":2,"s_to_c_avg":601578.2,"s_to_c_max":8978171,"s_to_c_stddev":2165186.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":188.3,"c_to_s_max":1114,"c_to_s_stddev":274.5,"s_to_c_min":60,"s_to_c_avg":518.1,"s_to_c_max":1506,"s_to_c_stddev":585.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2438,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041692528594,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528594,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":120,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1587041692528594,"l3_proto":"ip4","src_ip":"151.11.50.139","dst_ip":"192.168.1.6","src_port":2222,"dst_port":54750,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00693{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2438,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528594,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1587041692528594,"pkt":"KDc3AG3IEBMx8Tl2CABFAACscMtAADIGTDyXCzKLwKgBBgiu1d6yibcLw8sjj4AYAfWSMAAAAQEICnMgXuAwhCbwdBDZH1X2LNSHenV0XPT5UOuNQPq3DAtDODIIsZ4L3xE8W9ceOtMh\/taRn1i3oYCG\/lk5DiXu3JH7RFT8gb0ANFHp9LfVVHPD+A0sB0\/WJaUdO\/QQPvH9sYa9nCylNS5SUfWnuhHHtKPL+2Ql1DSrQI\/KjFfe6Sr3"} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2439,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528684,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041692528684,"pkt":"EBMx8Tl2KDc3AG3ICABFSAA0AABAAEAGrzfAqAEGlwsyi9XeCK7DyyOPsom3g4AQD\/zTvAAAAQEICjCE1UVzIF7g"} @@ -515,7 +515,7 @@ 01101{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2683,"source":"teams.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041695422685,"flow_src_last_pkt_time":1587041695422685,"flow_dst_last_pkt_time":1587041695422685,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":124,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":124,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041695422685,"l3_proto":"ip4","src_ip":"52.114.252.8","dst_ip":"192.168.1.6","src_port":3479,"dst_port":50016,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00634{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2685,"source":"teams.pcap","alias":"nDPId-test","flow_id":81,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695422685,"flow_dst_last_pkt_time":1587041695432665,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1587041695432665,"pkt":"EBMx8Tl2KDc3AG3ICABFAACA0aoAAEARtpnAqAEGNHL8CMNgDZcAbO2O\/xAAYN6qKWcI9wj8AQEARCESpEKBJ1p+KLNk2I89FPmAcAAEAAAABwAgAAgAASyFFWBYSoA3AAQAAAACgDYABAAAAAEACAAUmYtT\/sgffZE\/GPjMTGRSk5h1N+2AKAAEPqesNg=="} 00632{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2688,"source":"teams.pcap","alias":"nDPId-test","flow_id":80,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695421892,"flow_dst_last_pkt_time":1587041695433333,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1587041695433333,"pkt":"EBMx8Tl2KDc3AG3ICABFAACAFs8AAEARcWjAqAEGNHL8FcN0DZgAbMYz\/xAAYGUfNM4ueRX8AQEARCESpEK59F1PLtIJs2rQCYqAcAAEAAAABwAgAAgAASyKFWBYV4A3AAQAAAACgDYABAAAAAEACAAUb+d2GMvNHhGxBtT1sjJNLSVYAvSAKAAEqoFJXQ=="} -01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2690,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041693824623,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041695435566,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":70914.0,"flow_max":1566873,"flow_stddev":270404.9,"c_to_s_min":1,"c_to_s_avg":18426.1,"c_to_s_max":69083,"c_to_s_stddev":23795.2,"s_to_c_min":2,"s_to_c_avg":147627.1,"s_to_c_max":1566873,"s_to_c_stddev":411395.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":82.9,"c_to_s_max":241,"c_to_s_stddev":48.6,"s_to_c_min":60,"s_to_c_avg":545.6,"s_to_c_max":1506,"s_to_c_stddev":564.1}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2690,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041693824623,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041695435566,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":71850.4,"flow_max":1566873,"flow_stddev":274680.6,"c_to_s_min":1,"c_to_s_avg":17122.7,"c_to_s_max":69083,"c_to_s_stddev":23778.0,"s_to_c_min":2,"s_to_c_avg":147627.1,"s_to_c_max":1566873,"s_to_c_stddev":411395.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":82.9,"c_to_s_max":241,"c_to_s_stddev":48.6,"s_to_c_min":60,"s_to_c_avg":545.6,"s_to_c_max":1506,"s_to_c_stddev":564.1}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00650{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2696,"source":"teams.pcap","alias":"nDPId-test","flow_id":76,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695586059,"flow_dst_last_pkt_time":1587041695278787,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":1587041695586059,"pkt":"EBMx8Tl2KDc3AG3ICABFAACMZh4AAEARkejAqAEGwKgABMNgw1UAeNtRAAEAXCESpELGQpqANK6irJWNCoEABgAJbzUvSTpGWTMyAAAAgCoACAAAf4pShlgAgHAABAAAAAeANgAEAAAAAQAkAARu\/\/7\/gDcABAAAAAIACAAUNaR7w6XgHLmtRZxpBWKVkGuwhq2AKAAE+3W4lQ=="} 00652{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2697,"source":"teams.pcap","alias":"nDPId-test","flow_id":77,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695586146,"flow_dst_last_pkt_time":1587041695278905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":1587041695586146,"pkt":"EBMx8Tl2KDc3AG3ICABFAACMyucAAEARLR\/AqAEGwKgABMN0w2QAeBWjAAEAXCESpEJMnOcpR8XuRjfgdwcABgAJSkZ3ajorbUl2AAAAgCoACAAAf4pShlgAgHAABAAAAAeANgAEAAAAAQAkAARu\/\/7\/gDcABAAAAAIACAAUZBvpMZrPL2uguq2xDA1A6CBjF+2AKAAEncV\/3g=="} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2699,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041695611288} @@ -538,7 +538,7 @@ 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_src_last_pkt_time":1587041697660621,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1587041697660621,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA40fgAADUBJWpdR27NwKgBBgMDcCsAAAAARQAASh2AAAAyEd1gwKgBBl1Hbs3DdD\/NADaJWQ=="} 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041697660621,"flow_src_last_pkt_time":1587041697660621,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041697660621,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2774,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":2,"flow_src_last_pkt_time":1587041697673040,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1587041697673040,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA4akMAADUBjR9dR27NwKgBBgMDcBsAAAAARQAAWp4wAAAyEVygwKgBBl1Hbs3DdD\/NAEaJWQ=="} -01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2805,"source":"teams.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":7,"flow_first_seen":1587041695305290,"flow_src_last_pkt_time":1587041697913583,"flow_dst_last_pkt_time":1587041697668816,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1214,"flow_dst_max_l4_payload_len":1214,"flow_src_tot_l4_payload_len":4324,"flow_dst_tot_l4_payload_len":2890,"midstream":0,"thread_ts_usec":1587041697913583,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","src_port":16332,"dst_port":50016,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":156549.4,"flow_max":1168245,"flow_stddev":360526.5,"c_to_s_min":1,"c_to_s_avg":105842.2,"c_to_s_max":1167037,"c_to_s_stddev":285854.4,"s_to_c_min":13,"s_to_c_avg":337646.6,"s_to_c_max":1168245,"s_to_c_stddev":510275.3},"pktlen": {"c_to_s_min":80,"c_to_s_avg":215.0,"c_to_s_max":1256,"c_to_s_stddev":307.9,"s_to_c_min":80,"s_to_c_avg":454.9,"s_to_c_max":1256,"s_to_c_stddev":507.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2805,"source":"teams.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":7,"flow_first_seen":1587041695305290,"flow_src_last_pkt_time":1587041697913583,"flow_dst_last_pkt_time":1587041697668816,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1214,"flow_dst_max_l4_payload_len":1214,"flow_src_tot_l4_payload_len":4324,"flow_dst_tot_l4_payload_len":2890,"midstream":0,"thread_ts_usec":1587041697913583,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","src_port":16332,"dst_port":50016,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":160381.3,"flow_max":1168245,"flow_stddev":365653.3,"c_to_s_min":1,"c_to_s_avg":108678.9,"c_to_s_max":1167037,"c_to_s_stddev":291404.0,"s_to_c_min":13,"s_to_c_avg":337646.6,"s_to_c_max":1168245,"s_to_c_stddev":510275.3},"pktlen": {"c_to_s_min":80,"c_to_s_avg":215.0,"c_to_s_max":1256,"c_to_s_stddev":307.9,"s_to_c_min":80,"s_to_c_avg":454.9,"s_to_c_max":1256,"s_to_c_stddev":507.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00767{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1587041693828302,"flow_src_last_pkt_time":1587041694047808,"flow_dst_last_pkt_time":1587041694047695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":235,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":567,"flow_dst_tot_l4_payload_len":6363,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01055{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041695435668,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 01055{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":67,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":13,"flow_first_seen":1587041693582610,"flow_src_last_pkt_time":1587041694243274,"flow_dst_last_pkt_time":1587041694243144,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} diff --git a/test/results/teamviewer.pcap.out b/test/results/teamviewer.pcap.out index 42a0e1887..06985e19e 100644 --- a/test/results/teamviewer.pcap.out +++ b/test/results/teamviewer.pcap.out @@ -10,7 +10,7 @@ 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520148441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":520148441,"pkt":"CAAns+YuUlQAEjUCCABFAAB8FPQAAEARG05dL+DxCgACD4zFhnEAaPihAAAAAAAAAAAAAAMXJEdQAAUAAAAAAAAAAAAAADkzLjQ3LjIyNC4yNDEAAADEjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01097{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":240,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520160692,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":506,"pkt_l4_len":472,"thread_ts_usec":520160692,"pkt":"CAAns+YuUlQAEjUCCABFAAHsFPcAAEARGdtdL+DxCgACD4zFhnEB2EYbAAAAAAAAAAAAAAMXJEfAAQQAAAA7Jmk0CQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":241,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":3,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520160749,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":1584,"midstream":0,"thread_ts_usec":520160749,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01569{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":521274313,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":13050,"midstream":0,"thread_ts_usec":521274313,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":194121.5,"flow_max":5073689,"flow_stddev":881556.3,"c_to_s_min":5073689,"c_to_s_avg":5073689.0,"c_to_s_max":5073689,"c_to_s_stddev":0.0,"s_to_c_min":7,"s_to_c_avg":36716.1,"s_to_c_max":442863,"s_to_c_stddev":96766.6},"pktlen": {"c_to_s_min":138,"c_to_s_avg":138.0,"c_to_s_max":138,"c_to_s_stddev":0.0,"s_to_c_min":58,"s_to_c_avg":463.0,"s_to_c_max":1066,"s_to_c_stddev":454.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +01548{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":521274313,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":13050,"midstream":0,"thread_ts_usec":521274313,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7,"flow_avg":36716.1,"flow_max":442863,"flow_stddev":96766.6,"c_to_s_min":0,"c_to_s_avg":0.0,"c_to_s_max":0,"c_to_s_stddev":0.0,"s_to_c_min":7,"s_to_c_avg":36716.1,"s_to_c_max":442863,"s_to_c_stddev":96766.6},"pktlen": {"c_to_s_min":138,"c_to_s_avg":138.0,"c_to_s_max":138,"c_to_s_stddev":0.0,"s_to_c_min":58,"s_to_c_avg":463.0,"s_to_c_max":1066,"s_to_c_stddev":454.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1283,"source":"teamviewer.pcap","alias":"nDPId-test","packets-captured":1283,"packets-processed":1282,"total-skipped-flows":0,"total-l4-payload-len":643545,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":633881700} 01142{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1298,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1008,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":558067677,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":520398,"midstream":0,"thread_ts_usec":729854393,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00903{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1298,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":129,"flow_dst_packets_processed":160,"flow_first_seen":330297046,"flow_src_last_pkt_time":729854393,"flow_dst_last_pkt_time":729854070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":60753,"flow_dst_tot_l4_payload_len":64705,"midstream":0,"thread_ts_usec":729854393,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} @@ -28,5 +28,5 @@ ~~ total allocations/frees...: 122743/122743 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 481 chars -~~ json string max len.......: 1574 chars -~~ json string avg len.......: 1023 chars +~~ json string max len.......: 1553 chars +~~ json string avg len.......: 1013 chars diff --git a/test/results/telegram.pcap.out b/test/results/telegram.pcap.out index d4ed5a983..5d3bd0e6e 100644 --- a/test/results/telegram.pcap.out +++ b/test/results/telegram.pcap.out @@ -50,8 +50,8 @@ 00759{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604297208,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":238,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":238,"pkt_l4_len":204,"thread_ts_usec":1588779604297208,"pkt":"AQBeAAD7wJrQLWJ0CABFAADgDXQAAP8RCsDAqAE14AAA+xTpFOkAzL4AAAAAAAADAAMAAAABCF9ob21la2l0BF90Y3AFbG9jYWwAAAwAAQ9fY29tcGFuaW9uLWxpbmvAFQAMAAEMX3NsZWVwLXByb3h5BF91ZHDAGgAMAAHAJQAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AlwCUADAABAAARlAAOC0x1Y2EncyBpUGFkwCXAOwAMAAEAABGUABIPNTAtMzUtMTAtNzAuMSAxwDsAACkFoAAAEZQAEgAEAA4AMeKa0C1idMCa0C1idA=="} 00788{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1588779604297420,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":258,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":258,"pkt_l4_len":204,"thread_ts_usec":1588779604297420,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAMwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QDMXFcAAAAAAAMAAwAAAAEIX2hvbWVraXQEX3RjcAVsb2NhbAAADAABD19jb21wYW5pb24tbGlua8AVAAwAAQxfc2xlZXAtcHJveHkEX3VkcMAaAAwAAcAlAAwAAQAAEZQAEA1MdWNh4oCZcyBpTWFjwCXAJQAMAAEAABGUAA4LTHVjYSdzIGlQYWTAJcA7AAwAAQAAEZQAEg81MC0zNS0xMC03MC4xIDHAOwAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"} 00869{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"telegram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604398986,"flow_dst_last_pkt_time":1588779597291316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":320,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":320,"pkt_l4_len":286,"thread_ts_usec":1588779604398986,"pkt":"jP5XIzfkKDc3AG3ICABFAAEy\/rUAAP8ROBzAqAFNwKgBSxTpFOkBHhkOAACEAAAAAAEAAAAED19jb21wYW5pb24tbGluawRfdGNwBWxvY2FsAAAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AMwDIAIYABAAAAeAATAAAAAMAFCkx1Y2FzLWlNYWPAIcAyABCAAQAAEZQAWBZycEJBPTM5OjJBOjg4OkFDOjQxOkFCCnJwVnI9MTUyLjERcnBIST1mOWM0NmM2ZGQwN2QRcnBITj0zYzVkYzVjZTk1NzgRcnBIQT04Y2E4Y2I3MzFjMWMNTHVjYeKAmXMgaU1hYwxfZGV2aWNlLWluZm\/AHAAQAAEAABGUABoObW9kZWw9aU1hYzExLDMKb3N4dmVycz0xN8BUAAGAAQAAAHgABMCoAU0="} -01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":424,"flow_avg":77578256.0,"flow_max":2474440826,"flow_stddev":430489312.0,"c_to_s_min":424,"c_to_s_avg":77578256.0,"c_to_s_max":2474440826,"c_to_s_stddev":430489312.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":142,"c_to_s_avg":198.7,"c_to_s_max":308,"c_to_s_stddev":56.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01340{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":368,"flow_avg":77578256.0,"flow_max":2474441275,"flow_stddev":430489376.0,"c_to_s_min":368,"c_to_s_avg":77578256.0,"c_to_s_max":2474441275,"c_to_s_stddev":430489376.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":162,"c_to_s_avg":218.7,"c_to_s_max":328,"c_to_s_stddev":56.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01316{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":424,"flow_avg":260106.0,"flow_max":1089013,"flow_stddev":238284.9,"c_to_s_min":424,"c_to_s_avg":260106.0,"c_to_s_max":1089013,"c_to_s_stddev":238284.9,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":142,"c_to_s_avg":198.7,"c_to_s_max":308,"c_to_s_stddev":56.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01324{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":368,"flow_avg":260092.7,"flow_max":1088510,"flow_stddev":238249.1,"c_to_s_min":368,"c_to_s_avg":260092.7,"c_to_s_max":1088510,"c_to_s_stddev":238249.1,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":162,"c_to_s_avg":218.7,"c_to_s_max":328,"c_to_s_stddev":56.4,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1588779606465822,"flow_dst_last_pkt_time":1588779596451825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"thread_ts_usec":1588779606465822,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzGJdAAEARYHrAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGABAmSTUAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} 00918{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":102,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1588779596464729,"flow_src_last_pkt_time":1588779607307651,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":196,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779607307651,"l3_proto":"ip4","src_ip":"192.168.1.53","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_sleep-proxy._udp.local","mdns": {}}} 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":103,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1588779607308336,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":162,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":162,"pkt_l4_len":108,"thread_ts_usec":1588779607308336,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAGwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QBsCTwAAAAAAAEAAQAAAAEMX3NsZWVwLXByb3h5BF91ZHAFbG9jYWwAAAwAAcAMAAwAAQAAEZEAEg81MC0zNS0xMC03MC4xIDHADAAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"} @@ -118,14 +118,14 @@ 00997{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779617174225,"flow_src_last_pkt_time":1588779617174225,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779617174225,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":23174,"dst_port":60723,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617350710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617350710,"pkt":"KDc3AG3I8KNaMBgSCABFAABsUAUAAEARpqrAqAE0wKgBTXr4WoYAWLDM6Td5ePjQrnTyke2EPHu3iQJhxLIf06esu8RwrHmFIT7cHf5ycIamk2yhxwjAfE09exZIgAEDzMDiso7KFMuIe8fjwzyyS3MKiG+Cd3eNuy0="} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617856441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617856441,"pkt":"KDc3AG3I8KNaMBgSCABFAABsRZ4AAEARsRHAqAE0wKgBTXr4WoYAWPxjToIQs5m5XoZB1qDehmfhJomQUeopOlZuJIIaL6qE8BgtmXQ6sqxHJAacGMTU5S5RgUjUPrOpUP\/aPObI3ORz5PRGJjnynufzdcsxdb\/ZTPY="} -01343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":658,"flow_avg":168802.5,"flow_max":1740988,"flow_stddev":303147.5,"c_to_s_min":658,"c_to_s_avg":356121.6,"c_to_s_max":1740988,"c_to_s_stddev":478126.3,"s_to_c_min":4478,"s_to_c_avg":83657.5,"s_to_c_max":308435,"s_to_c_stddev":80994.8},"pktlen": {"c_to_s_min":74,"c_to_s_avg":109.2,"c_to_s_max":138,"c_to_s_stddev":28.9,"s_to_c_min":90,"s_to_c_avg":180.2,"s_to_c_max":234,"s_to_c_stddev":53.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":658,"flow_avg":118086.8,"flow_max":500928,"flow_stddev":112055.1,"c_to_s_min":658,"c_to_s_avg":202247.6,"c_to_s_max":500928,"c_to_s_stddev":131274.9,"s_to_c_min":4478,"s_to_c_avg":83657.5,"s_to_c_max":308435,"s_to_c_stddev":80994.8},"pktlen": {"c_to_s_min":74,"c_to_s_avg":109.2,"c_to_s_max":138,"c_to_s_stddev":28.9,"s_to_c_min":90,"s_to_c_avg":180.2,"s_to_c_max":234,"s_to_c_stddev":53.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1588779618677198,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779618677198,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMg0kAAEAREJTAqAFNVwvNw1qG7TMAOE0OU2RiXNjy8sJRKs8KhnTyEy6Nhnt95vQlharNkBkXr2lvtMgl2dlHhYY4WvPjXQkp"} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1588779619914905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABHqTUAAEARTdLAqAFNwKgBAbgXADUAM25TALgBAAABAAAAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAQ=="} 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1588779619916408,"pkt":"KDc3AG3IAICPmq69CABFAABXwqhAAEAR9E7AqAEBwKgBTQA1uBcAQ5UvALiBgAABAAEAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAcAMAAEAAQAAAAAABMCoAZ0="} 01160{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":59,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":59,"midstream":0,"thread_ts_usec":1588779619916408,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"192.168.1.157"}}} -01212{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":42308,"flow_avg":256929.0,"flow_max":1998754,"flow_stddev":465760.6,"c_to_s_min":57696,"c_to_s_avg":321624.6,"c_to_s_max":1998754,"c_to_s_stddev":567736.5,"s_to_c_min":42308,"s_to_c_avg":212663.5,"s_to_c_max":1681273,"s_to_c_stddev":374165.1},"pktlen": {"c_to_s_min":90,"c_to_s_avg":197.1,"c_to_s_max":234,"c_to_s_stddev":50.7,"s_to_c_min":90,"s_to_c_avg":211.3,"s_to_c_max":282,"s_to_c_stddev":56.2}}} +01212{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":42308,"flow_avg":260899.1,"flow_max":1998754,"flow_stddev":472680.0,"c_to_s_min":57696,"c_to_s_avg":337272.0,"c_to_s_max":1998754,"c_to_s_stddev":588219.5,"s_to_c_min":42308,"s_to_c_avg":212663.5,"s_to_c_max":1681273,"s_to_c_stddev":374165.1},"pktlen": {"c_to_s_min":90,"c_to_s_avg":197.1,"c_to_s_max":234,"c_to_s_stddev":50.7,"s_to_c_min":90,"s_to_c_avg":211.3,"s_to_c_max":282,"s_to_c_stddev":56.2}}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779625981468,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":355,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":355,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":355,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779625981468,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00990{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":397,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":397,"pkt_l4_len":363,"thread_ts_usec":1588779625981468,"pkt":"\/\/\/\/\/\/\/\/AICPmq69CABFAAF\/jrEAAEAR6r0AAAAA\/\/\/\/\/wBEAEMBa16\/AQEGAN7JmyKFuQAAAAAAAAAAAAAAAAAAAAAAAACAj5quvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBPRP\/j5quvQABAAEfyzfOuCfrPQjbUAB0AQE5AgXcPC1kaGNwY2QtNi4xMC4xOkxpbnV4LTQuOS41Ny12Nys6YXJtdjdsOkJDTTI4MzUMDHBpMy5udG9wLm9yZ5EBATcPAXkhAwYMDxocKjM2Ojt3\/w=="} @@ -205,10 +205,10 @@ 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":753,"source":"telegram.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048873,"flow_dst_last_pkt_time":1588779637682180,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048873,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE8IoAAEARYLjAqAFNW2wMBW32AhkAMMg9L+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/8fmAjwvVRcdw=="} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":754,"source":"telegram.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048996,"flow_dst_last_pkt_time":1588779637712776,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048996,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE3R0AAEARcCfAqAFNW2wQA232AhkAMFmIL+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/13zLCZd4eiw=="} 00735{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":825,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_src_last_pkt_time":1588779638831421,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779638831421,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKuMQAAAERTm\/AqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8183,"flow_avg":286040.5,"flow_max":6096034,"flow_stddev":1052272.1,"c_to_s_min":8183,"c_to_s_avg":330954.9,"c_to_s_max":6096034,"c_to_s_stddev":1232823.6,"s_to_c_min":25605,"s_to_c_avg":171259.1,"s_to_c_max":472194,"s_to_c_stddev":185963.9},"pktlen": {"c_to_s_min":74,"c_to_s_avg":173.5,"c_to_s_max":234,"c_to_s_stddev":57.3,"s_to_c_min":90,"s_to_c_avg":118.4,"s_to_c_max":138,"s_to_c_stddev":18.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8183,"flow_avg":98621.3,"flow_max":504672,"flow_stddev":137715.2,"c_to_s_min":8183,"c_to_s_avg":68905.9,"c_to_s_max":504672,"c_to_s_stddev":97648.3,"s_to_c_min":25605,"s_to_c_avg":171259.1,"s_to_c_max":472194,"s_to_c_stddev":185963.9},"pktlen": {"c_to_s_min":74,"c_to_s_avg":173.5,"c_to_s_max":234,"c_to_s_stddev":57.3,"s_to_c_min":90,"s_to_c_avg":118.4,"s_to_c_max":138,"s_to_c_stddev":18.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779639103009,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779639103009,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":28150,"dst_port":59772,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779639103009,"pkt":"EBMx8Tl2KDc3AG3ICABFAABsKQMAAEARarrAqAFNVwvNw2326XwAWFNj2ajstQcU9VmrWsN2RmlsiodFzsmW0mXr5Gv8o0f2aR9YWQKIE34PAz\/0T4VwEA0DXBRrws2ycCoPovMV6p5YsfJULcJS2cwqBKkU3Xys+SQ="} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7087,"flow_avg":300357.9,"flow_max":6096042,"flow_stddev":1051517.2,"c_to_s_min":48588,"c_to_s_avg":956887.9,"c_to_s_max":6096042,"c_to_s_stddev":1950566.2,"s_to_c_min":7087,"s_to_c_avg":81514.6,"s_to_c_max":476895,"s_to_c_stddev":120189.8},"pktlen": {"c_to_s_min":74,"c_to_s_avg":102.0,"c_to_s_max":138,"c_to_s_stddev":28.0,"s_to_c_min":90,"s_to_c_avg":175.3,"s_to_c_max":218,"s_to_c_stddev":48.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":7087,"flow_avg":113400.4,"flow_max":504936,"flow_stddev":151181.6,"c_to_s_min":48588,"c_to_s_avg":222723.0,"c_to_s_max":504936,"c_to_s_stddev":190404.6,"s_to_c_min":7087,"s_to_c_avg":81514.6,"s_to_c_max":476895,"s_to_c_stddev":120189.8},"pktlen": {"c_to_s_min":74,"c_to_s_avg":102.0,"c_to_s_max":138,"c_to_s_stddev":28.0,"s_to_c_min":90,"s_to_c_avg":175.3,"s_to_c_max":218,"s_to_c_stddev":48.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":899,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1588779639832508,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779639832508,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKAckAAAERBWvAqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":915,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1588779640101988,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779640101988,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMml0AAEAR+X\/AqAFNVwvNw2326XwAOMsSsmK\/vWlJHJOqyuLBG8kWaad6RX1I27GljGkLPfHdr93dNQ8yPA7ggZLrS4Zn185b"} 00913{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1129,"source":"telegram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1588779645375046,"flow_dst_last_pkt_time":1588779596465053,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":353,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":353,"pkt_l4_len":319,"thread_ts_usec":1588779645375046,"pkt":"AQBeAAD7eCjKBfrMCABFAAFTiPpAAAERTLfAqAFF4AAA+xTpFOkBP9DmAACEAAAAAAEAAAADEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAAADAABAAAAeAAvEXNvbm9zNzgyOENBMDVGQUNDEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MQX3Nwb3RpZnktY29ubmVjdARfdGNwBWxvY2FsAAAQgAEAABGUAB0LVkVSU0lPTj0xLjAQQ1BhdGg9L3Nwb3RpZnl6YxFzb25vczc4MjhDQTA1RkFDQxBfc3BvdGlmeS1jb25uZWN0BF90Y3AFbG9jYWwAACGAAQAAAHgAHwAAAAAFeBFzb25vczc4MjhDQTA1RkFDQwVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MFbG9jYWwAAAGAAQAAAHgABMCoAUU="} diff --git a/test/results/telnet.pcap.out b/test/results/telnet.pcap.out index 98456fe58..32cb2ef38 100644 --- a/test/results/telnet.pcap.out +++ b/test/results/telnet.pcap.out @@ -7,7 +7,7 @@ 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":2,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158537777,"flow_dst_last_pkt_time":943755158537538,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":943755158537777,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}} 01027{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158616442,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755159705066,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}} 01031{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":31,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160949196,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160949196,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}} -01197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":172,"flow_avg":16358800.0,"flow_max":519600371,"flow_stddev":90385464.0,"c_to_s_min":172,"c_to_s_avg":30715514.0,"c_to_s_max":519600371,"c_to_s_stddev":122221776.0,"s_to_c_min":593,"s_to_c_avg":87857.5,"s_to_c_max":1107336,"s_to_c_stddev":274847.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":78.4,"c_to_s_max":151,"c_to_s_stddev":23.8,"s_to_c_min":66,"s_to_c_avg":75.8,"s_to_c_max":98,"s_to_c_stddev":10.4}}} +01184{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":172,"flow_avg":125200.9,"flow_max":1232764,"flow_stddev":336743.6,"c_to_s_min":172,"c_to_s_avg":160210.3,"c_to_s_max":1232764,"c_to_s_stddev":382560.4,"s_to_c_min":593,"s_to_c_avg":87857.5,"s_to_c_max":1107336,"s_to_c_stddev":274847.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":78.4,"c_to_s_max":151,"c_to_s_stddev":23.8,"s_to_c_min":66,"s_to_c_avg":75.8,"s_to_c_max":98,"s_to_c_stddev":10.4}}} 01031{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}} 01019{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":92,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":44,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755197957149,"flow_dst_last_pkt_time":943755197958477,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":488,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":943755197958477,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess"}} 00557{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":92,"source":"telnet.pcap","alias":"nDPId-test","packets-captured":92,"packets-processed":92,"total-skipped-flows":0,"total-l4-payload-len":1660,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":943755197958477} @@ -24,5 +24,5 @@ ~~ total allocations/frees...: 121527/121527 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 477 chars -~~ json string max len.......: 1202 chars -~~ json string avg len.......: 832 chars +~~ json string max len.......: 1189 chars +~~ json string avg len.......: 826 chars diff --git a/test/results/tftp.pcap.out b/test/results/tftp.pcap.out index 635654e74..c8cbade2e 100644 --- a/test/results/tftp.pcap.out +++ b/test/results/tftp.pcap.out @@ -14,7 +14,7 @@ 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":12,"thread_ts_usec":946730124846355,"pkt":"AFCN14tDAAu+GJpACABFAAAgAAEAAP8ROXTAqAD9wKgACsW6DXUADKpJAAQAAQAAAAAAAAAAAAAAAAAA"} 01176{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":558,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":558,"pkt_l4_len":524,"thread_ts_usec":946730124846355,"pkt":"AAu+GJpAAFCN14tDCABFAAIgkycAAIARI07AqAAKwKgA\/Q11xboCDOXlAAMAAkIgT2ZmaWNpYWwgUHJvdG9jb2wKICAgU3RhbmRhcmRzIiBmb3IgdGhlIHN0YW5kYXJkaXphdGlvbiBzdGF0ZSBhbmQgc3RhdHVzIG9mIHRoaXMgcHJvdG9jb2wuCiAgIERpc3RyaWJ1dGlvbiBvZiB0aGlzIG1lbW8gaXMgdW5saW1pdGVkLgoKU3VtbWFyeQoKICAgVEZUUCBpcyBhIHZlcnkgc2ltcGxlIHByb3RvY29sIHVzZWQgdG8gdHJhbnNmZXIgZmlsZXMuICBJdCBpcyBmcm9tCiAgIHRoaXMgdGhhdCBpdHMgbmFtZSBjb21lcywgVHJpdmlhbCBGaWxlIFRyYW5zZmVyIFByb3RvY29sIG9yIFRGVFAuCiAgIEVhY2ggbm9udGVybWluYWwgcGFja2V0IGlzIGFja25vd2xlZGdlZCBzZXBhcmF0ZWx5LiAgVGhpcyBkb2N1bWVudAogICBkZXNjcmliZXMgdGhlIHByb3RvY29sIGFuZCBpdHMgdHlwZXMgb2YgcGFja2V0cy4gIFRoZSBkb2N1bWVudCBhbHNvCiAgIGV4cGxhaW5zIHRoZSByZWFzb25zIGJlaGluZCBzb21lIG9mIHRoZSBkZXNpZ24gZGVjaXNpb25zLgoKQWNrbm93bGVnZW1lbnRzCgogICBUaGUg"} 00994{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":8,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} -01470{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":35,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":8256,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3368690691,"flow_avg":3368690688.0,"flow_max":3368690691,"flow_stddev":0.0,"c_to_s_min":3368690691,"c_to_s_avg":3368690688.0,"c_to_s_max":3368690691,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":558,"c_to_s_avg":558.0,"c_to_s_max":558,"c_to_s_stddev":0.0,"s_to_c_min":60,"s_to_c_avg":60.0,"s_to_c_max":60,"s_to_c_stddev":0.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +01416{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":35,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":8256,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":0,"flow_avg":0.0,"flow_max":0,"flow_stddev":0.0,"c_to_s_min":0,"c_to_s_avg":0.0,"c_to_s_max":0,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":558,"c_to_s_avg":558.0,"c_to_s_max":558,"c_to_s_stddev":0.0,"s_to_c_min":60,"s_to_c_avg":60.0,"s_to_c_max":60,"s_to_c_stddev":0.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":101,"total-skipped-flows":0,"total-l4-payload-len":25039,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":18,"global_ts_usec":946733724846355} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946733724846355,"flow_src_last_pkt_time":946733724846355,"flow_dst_last_pkt_time":946733724846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":19,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":19,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946733724846355,"l3_proto":"ip4","src_ip":"172.28.4.53","dst_ip":"172.16.5.170","src_port":54627,"dst_port":69,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":946733724846355,"flow_dst_last_pkt_time":946733724846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":61,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":61,"pkt_l4_len":27,"thread_ts_usec":946733724846355,"pkt":"9Opn97JCCAAnntJbCABFAAAv+hlAAEAR3pisHAQ1rBAFqtVjAEUAGx52AAFzeXNtYW4ubGlzAG9jdGV0AA=="} @@ -49,5 +49,5 @@ ~~ total allocations/frees...: 121603/121603 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1475 chars -~~ json string avg len.......: 974 chars +~~ json string max len.......: 1421 chars +~~ json string avg len.......: 947 chars diff --git a/test/results/tinc.pcap.out b/test/results/tinc.pcap.out index 99793efbd..65ec0ce9a 100644 --- a/test/results/tinc.pcap.out +++ b/test/results/tinc.pcap.out @@ -20,8 +20,8 @@ 01002{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":53,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983428043218,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":724,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":724,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1495983428043218,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 02451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1495983428043268,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1486,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1486,"pkt_l4_len":1452,"thread_ts_usec":1495983428043268,"pkt":"ACbGCvpSABcILL3nCABFCAXAAABAADERhNO5U9pwg3KoG9lo2WgFrCCQQfVUKnrm4XUK3wfxxn8qlQ5ZlUxAsin94OmtvvCqeiNDv9hCgysXgIe\/Jwp6foEgyUgSLwbFE+jFX5EiTbzvLxw+eE+9kkIbIypcFMAA862am\/h5EhYX9oyZgZit\/ohLFdBZAd\/9piW+TIg1JYKUHUk24mSNhkzehqNGbaa8v1XNXvCAKUf+je80JL2ztiSjDNtOMrbTSNyuOyDQhbbpaRAakKCJ88rhmRVZWPpGUvSoCLUQLdy+ls4UP9VbLIv60yNlhG\/tIZF+Y9AgYJgNK7469NXCZUoHPgebmwGoSIBvEupGZ2HWMq5tD1YtSNLd5mdcZ4U6bdW57PJT8Mqpobu5nNKCEUTKU8fv54QllT27onCmdTrjSLU7i56qGCPKz8Pmgpd+4MU1sOXlteqk11G5kxvUePU9AHDMWVZcDsBw+8w6+Ab\/JxYo4ilYPsOkX7nL+VL0USjj5AuG8wFeeDnvZeQURQeN12MuZewRpRzkJa5jIqIQqHHvEIR3I+NlcYV0IJXsrpavQ6RSGtYmR7+94hoEShFxTK6D2mPtrdLiAqRfmJptPiSWLm5Mqo0iayfkgY6sd6M1vwIpwRPc0qQOtn1doDjup9IIauyzdANQF9x2voU4Z8dsvHyVyVE9VF\/Qdb\/Bbe15\/vrLpOF+cB00\/TXrJ07AVZHqEwel\/iScs2S9kgqiIjzb1T0G6y8xlHQV7ktrErMlC4GXnRqlxWayYa4G266nN6wc0wTy9MD7G5DpqxUPZwZIrxZiMHXc4mPXA210XTsNG7LVVQM581lStiGr1a4pUZOImjoO\/gk5frgMuu6jHFgEA+vJuy5sW5lQpb37IXQqFXKKxN2z8Ke+x4zy7ALHVigelzuNCf3HZfol1uD4eeP+2tpVITMiH4O5PCcLDMT1yYFhbvLg8pREkBITQB+rUBzFhHXEVteh6noPH6hIRkDIrLyfEHdswFs6MATwSlSxKkz0QuaSV8BEXCeHOM+JmmNRCgSmcHuzwrDdDGG7eSF7kzVOXV4KPQtBdbB4rq\/rFfGJFSiBXn2huFIeNdQhj4gFtDQIfYjXMsmhSsrScwjLj7C7jg2Rwm\/XuhfLgws3rBZC6s4ClAl8Lku7gDzAWOdYgK2FafJmEnZR3NXAFEI8JF5r5ITwwBATJADMcv7GO51VLOgFAuacu5w0kk1gxapzbHcSOdPeKJB+9voPecizTzqOKMuqIngnpb\/qfLXWqnLz7U6\/\/ui4aHgWF+lKp0xsjiPYD9YnVxFJE08oruybimAl5F4KHctwad6wrnqDh7AMDE3spgEO04z6pL2VZXL\/wvq6pxHL80kORMsGZgPOmyHtPCRE5Jd+RFgmwBejwRrNJFCuLc2P622GjZ1t\/hPuud14khvjnfHdyfKsl19iLyzwv7qu0oEoiwBrYf06g7MzcULZl4XUxJNSE9RYU15rJmRxguh4eXuIOqgIqrfkbI\/\/vDyBWYyc45utTloDIm+GnDiAeigtPF4FijLPE9qVDfQilPuHMnf6UDvllbgNqo19g3gnmLroqXep+7LyRYp4sWr4\/d\/TZKaCucaaCwVm1u\/1te\/n+aOftes5xygxK+OaKehbJ47nnj4GJRcueg7KFHNq2ES0Uj1Rh2+lhguZLWYwLh4\/FPK0vdBcca9l29F4kxSaDHn6BeoZpX+wivGn5jMTbID2EPugYpELm+yXQDHU1W7JBJkdRRhJfBWIKo8UZofXK4qgL2\/MqCqF2T2\/hEjt9sAO7DVGx2T23++65+kzCDH2qiAfrQdQFlN08V17FGkydmcJibPSSbSe7aLjPjiXuGdc7ip\/LMmiTS0sCJq6zHCBk5aHilHCEqmTl+eL9Q9vwrMeAdX+cTIhD7xTxK6aeGzriTEJFQi6+ZDkO2+SfJZlZhRSLhc55JEaOH4LdN2VABhAfw=="} 01734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1495983428043295,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":958,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":958,"pkt_l4_len":924,"thread_ts_usec":1495983428043295,"pkt":"ACbGCvpSABcILL3nCABFCAOwAABAADERhuO5U9pwg3KoG9lo2WgDnO+CxkvMU5czu375VqRfqLEu7HGryDGh\/bfeaQJnEYyovrmntDxt74C8PKQJMHvY4MA1ZHuHhnLJLLc7h764zEbGLw\/vzqsaP4XOJmX3J5ZoXTmAMsXnjvJUPqVeWdg0PXJhqa6st9hNynxv5D0rpJqm0\/zV192qcE59jCUVvmB8PfyMGzNb8iu7j79YvIHCzFHzmycvx5sIdKuzv+9aaD2+9O1fWAuPwq8\/8DIg8DeQB7htbL3\/j6lwDGupSOVHCsI1+lYyNr8A5\/OFujJsJCBzKGXQVn+oJRoQMsFgr0giRTOfhVQb+GlZOLXTcVvxl6mNiWSoDQXoxAfPuixrlp8F\/MUrFtVqJYJIqlWUSZ0FHJzKiXJ5yQvwNmnsvYHqMQNW6ZCn++1tGEto8r5tq\/BDe0FvMAOQC\/Iq49d9xjtHRJaZkPSuUT0Ue8\/0Y0g7e7MLBCNRDp3pFvP\/SDROeSBv+1Hrsd3VgZ3eZsdET6SE7O+jiB1npy8XRuCERu\/h5FlX8FbvbKHJP4IXbapoGYosv9tEU2XONo65wz3MCF\/bVbrUPcOASb6j+c55C5rFZMKjA9llC2lki+5ox8NX3C0rsVb9ezbzAq4pvwBxx6yeMVlmBhRxjwXLWviN6bjb8+kKUMxdeqvtFZ90hWLG3av8x5N1D1shhjp\/Pkh3vfzESwJoedvps7xxuR16c9ku4Rlje1SzPbiXWLLd2ctB3NoWHVeTFrvLRU2yqM5LNXQpjLOWYVqndimokWzm3PvfsX2+ickLKvqhiNB8NMbCQKKllVtQtaf37M0W3hxij8fNqkfQ3Dwvv36xYQY6aA2cxZJ7cAJfgWt3+2IqzsbQ\/hOa1lDnl8uliASJ4hjXOWhi4prZ86H1uoSeDR53SAlBdMQQ3YoaLSv6kQQOXAUwHuZQi7+x\/RE5HfoAvVeNzG90OcOnL2uiCxjhyp3\/swc9NGfoqhpvTPlS\/HF6E4gzQu+uwm3Kmj7AsKixik3ciIBb6VqLoyiaQR35wKSQydm3qyc2A8RxVwJEHM9ChZNid+PGF9MC3cdjsTP6IG4AOw3VS8jLQznT38vyJvgWelWwQ+I9gJ2zh8MbfaLP+EWNQPI478wMYlCsuyg5uNNDg0lSF1epToqo6+lky+h2nAa21hKOviRtVRN8LV88QPWbYJx4n3gM4sg9yVPde6y+bdl\/hYGe1J5JIAW7OGyTqN+C43dvapKXMw=="} -01495{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":104,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983431160747,"flow_dst_last_pkt_time":1495983430158623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19148,"flow_dst_tot_l4_payload_len":16284,"midstream":0,"thread_ts_usec":1495983431160747,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":167954.4,"flow_max":1069532,"flow_stddev":371988.4,"c_to_s_min":68,"c_to_s_avg":189193.2,"c_to_s_max":1069532,"c_to_s_stddev":395657.9,"s_to_c_min":23,"s_to_c_avg":143883.7,"s_to_c_max":1024085,"s_to_c_stddev":341602.4},"pktlen": {"c_to_s_min":190,"c_to_s_avg":1168.4,"c_to_s_max":1510,"c_to_s_stddev":444.7,"s_to_c_min":190,"s_to_c_avg":1127.6,"s_to_c_max":1502,"s_to_c_stddev":455.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01494{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983432571150,"flow_dst_last_pkt_time":1495983432526055,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":10944,"flow_dst_tot_l4_payload_len":20512,"midstream":0,"thread_ts_usec":1495983432571150,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":282037.8,"flow_max":2412459,"flow_stddev":551978.2,"c_to_s_min":24,"c_to_s_avg":378531.2,"c_to_s_max":2412459,"c_to_s_stddev":721565.0,"s_to_c_min":86,"s_to_c_avg":224141.8,"s_to_c_max":1048033,"s_to_c_stddev":407622.2},"pktlen": {"c_to_s_min":190,"c_to_s_avg":954.0,"c_to_s_max":1486,"c_to_s_stddev":431.4,"s_to_c_min":118,"s_to_c_avg":1067.6,"s_to_c_max":1494,"s_to_c_stddev":456.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01495{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":104,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983431160747,"flow_dst_last_pkt_time":1495983430158623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19148,"flow_dst_tot_l4_payload_len":16284,"midstream":0,"thread_ts_usec":1495983431160747,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":171568.9,"flow_max":1069532,"flow_stddev":377387.1,"c_to_s_min":68,"c_to_s_avg":197523.8,"c_to_s_max":1069532,"c_to_s_stddev":406385.9,"s_to_c_min":23,"s_to_c_avg":143883.7,"s_to_c_max":1024085,"s_to_c_stddev":341602.4},"pktlen": {"c_to_s_min":190,"c_to_s_avg":1168.4,"c_to_s_max":1510,"c_to_s_stddev":444.7,"s_to_c_min":190,"s_to_c_avg":1127.6,"s_to_c_max":1502,"s_to_c_stddev":455.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01494{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983432571150,"flow_dst_last_pkt_time":1495983432526055,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":10944,"flow_dst_tot_l4_payload_len":20512,"midstream":0,"thread_ts_usec":1495983432571150,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":290670.0,"flow_max":2412459,"flow_stddev":558680.6,"c_to_s_min":24,"c_to_s_avg":411630.2,"c_to_s_max":2412459,"c_to_s_stddev":744877.2,"s_to_c_min":86,"s_to_c_avg":224141.8,"s_to_c_max":1048033,"s_to_c_stddev":407622.2},"pktlen": {"c_to_s_min":190,"c_to_s_avg":954.0,"c_to_s_max":1486,"c_to_s_stddev":431.4,"s_to_c_min":118,"s_to_c_avg":1067.6,"s_to_c_max":1494,"s_to_c_stddev":456.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01042{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":13,"flow_first_seen":1495983427744301,"flow_src_last_pkt_time":1495983475109122,"flow_dst_last_pkt_time":1495983475109062,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1039,"flow_dst_max_l4_payload_len":1037,"flow_src_tot_l4_payload_len":3036,"flow_dst_tot_l4_payload_len":2354,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":49290,"dst_port":55656,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01055{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":101,"flow_dst_packets_processed":29,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983470930418,"flow_dst_last_pkt_time":1495983470973187,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":132724,"flow_dst_tot_l4_payload_len":31332,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01056{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":105,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983463866065,"flow_dst_last_pkt_time":1495983463817214,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":116,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1468,"flow_src_tot_l4_payload_len":28820,"flow_dst_tot_l4_payload_len":135316,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} diff --git a/test/results/tls-appdata.pcap.out b/test/results/tls-appdata.pcap.out index 9fcf2b49c..19b4bbdfb 100644 --- a/test/results/tls-appdata.pcap.out +++ b/test/results/tls-appdata.pcap.out @@ -12,7 +12,7 @@ 00870{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288722000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1472,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288724000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitch","proto_id":"91.195","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288737000,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1643610288737000,"pkt":"YDjgxTWgeJS0JASgCABFAAAoJklAADkGXZQ038YHwKgCZAG75mCdFTAgOSeK4VAQCRZvcQAAAAAAAAAA"} 00765{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":31,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642636825083000,"flow_src_last_pkt_time":1642636825195000,"flow_dst_last_pkt_time":1642636825303000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":135,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":429,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288741000,"l3_proto":"ip4","src_ip":"179.60.195.173","dst_ip":"192.168.2.100","src_port":443,"dst_port":60636,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01239{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1000,"flow_avg":202340864.0,"flow_max":2800810104,"flow_stddev":720707008.0,"c_to_s_min":1000,"c_to_s_avg":352098880.0,"c_to_s_max":2800810104,"c_to_s_stddev":925540544.0,"s_to_c_min":1000,"s_to_c_avg":2663500.0,"s_to_c_max":15956000,"s_to_c_stddev":5944588.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":313.8,"c_to_s_max":1506,"c_to_s_stddev":551.9,"s_to_c_min":60,"s_to_c_avg":2083.1,"s_to_c_max":2958,"s_to_c_stddev":1156.0}}} +01227{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1000,"flow_avg":2458615.5,"flow_max":15956000,"flow_stddev":5752110.0,"c_to_s_min":1000,"c_to_s_avg":2283000.0,"c_to_s_max":15941000,"c_to_s_stddev":5575859.5,"s_to_c_min":1000,"s_to_c_avg":2663500.0,"s_to_c_max":15956000,"s_to_c_stddev":5944588.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":313.8,"c_to_s_max":1506,"c_to_s_stddev":551.9,"s_to_c_min":60,"s_to_c_avg":2083.1,"s_to_c_max":2958,"s_to_c_stddev":1156.0}}} 00887{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitch","proto_id":"91.195","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":46,"source":"tls-appdata.pcap","alias":"nDPId-test","packets-captured":46,"packets-processed":45,"total-skipped-flows":0,"total-l4-payload-len":41014,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1643611942615000} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":76,"source":"tls-appdata.pcap","alias":"nDPId-test","packets-captured":76,"packets-processed":75,"total-skipped-flows":0,"total-l4-payload-len":70000,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":18,"global_ts_usec":1643612754900000} diff --git a/test/results/tls_certificate_too_long.pcap.out b/test/results/tls_certificate_too_long.pcap.out index 432a9b0bd..098e7b410 100644 --- a/test/results/tls_certificate_too_long.pcap.out +++ b/test/results/tls_certificate_too_long.pcap.out @@ -123,8 +123,8 @@ 02205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1626168078674936,"flow_dst_last_pkt_time":1626168078673880,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1292,"pkt_l4_len":1258,"thread_ts_usec":1626168078674936,"pkt":"WNVuaKQA8BiYFWV8CABFAgT+AABAAEAGnGLAqAF5NGKjEtC0AbvnBmXsyo5yyVAYEACH9AAAFwMDBNEAAAAAAAAA3P9mE\/WxzRlzhJVvrME7arSt4cc4b80\/fLZ45lg2jTLN+h8OznVOp0v0YJHlvGb6zo1R0y0127nCMLhWICtDPy2FtY028GLgaBdr\/YLaP88jpPC2wcimHwfty2x4WKI+LPeYoEPRAYicmmTAxPlFzZuaf1iKs+Yu1pMdI4311+rTrqclcjjttiygU+MPtoh4rbcQQi4hllQZ9bpYWoVqJ+iSt2BigYH05vsyHmu879GAhVkohrBF89b4NLKyNAMo0\/QxqgG1rqZTGisx7FjNs8y8uxtw5iKWrSpnhwqsK8HdkzdODGF90yeLdn3CCNJgdm3aNHt1MWZ4JOUy5GzAb47y2cy051il96yYxnPjPoqHZ+sb8GqydD+Wdtw8hwTtkDW7xa7mACJTwuWOIU79l2oDnl63ylL8+JOFMkvCyqpvRSJQTp84k5efBKX3KzQjur4Xu79lO0LFF2NRDD6HkdNIzdZ6GrjQ6cfeKSx84X\/NzyeoBGfExOO\/4zYWpKYV5emN2qK2WwFz9V6yUT4FYCEpMENn4zKRUt2gX3+QJ3UggRDfQ8Atlul6XoqofW\/JfCf+PszhgtXLpc9QxVs3UVfeC+BCBsI\/evJsy+X2zvUBACJp1Cao7EAa\/un53A8cu1w+QQ\/3\/qpgFcwuebDk+bTd2XwEmQcRY5ntXb11cm+t6EgiuWMc8LtkZLW4g6Qk7C3exETENqr8qaKtA57iz69EbEaWfUTp590Cm1yhdVWnzQVccpyZRGULka\/D5PTiR6o3UCqpNAg8I43q9sRPGdaOzmk6LqC8kGMMj1N8P2DVYvcwJb3HB14BO5Blfb4kQNaSZCX81P5eekubMcrCkaYeLnnSigA4c2KBCJI0\/apWCuj0F93qKZChgzKT77EQe9PNeEwH9qa2yEnfxe42M9M\/dR+ZqezhwWXFtPpr0H\/z1rdkNoyBVAssfrasWrQx8flrDgnBIYD1460XCzVYLXxrhZgLoJb3EnAJ7vXCxsY0pXppBEZDDdim91oHmoHdPCYl0He7JYRSbPjtQSoUoTzcJp7PxKyOdGVLYBgNJz7zY+ZgHgZgGwjl0V0nqegEjC35a9y8SnKE63ljmDCyN8pWus5ViXGLvQ2Q\/1YgRAjjfufkIFVVjlXa01yHVzB76HDZ1tJk9CCm9ap34gzfAiHToNIXmogCeGqn2CdKyBeaiMSGkpYWcPn2x5217jPoRlFNQrlxxA+bM2VQvFdzsWSjAthvEYT8M0NKxSkvF5fH3eNJZYaUGLIiBrgIGbm4pAM\/x0xPOGKmtUmoLltnDzmkCbUcHYiWy3Y7nJHL865N2SK80a9Zp+7VINzLRf\/Ervx7NR7ytI7hPsERS2gR+t5ngZO4VMBVWlnWrW+Q0k4Q1KqCHh7RRwRxv5sH62zb+RmG6I1XbjkIiH\/fDv5F+LoUplAhBWHtQdc4gcY6R330O9wWahGV3oVm2bRxt8RZJJruLD1DYhwwT99J89GgAfYqHkYbcpYCi6LHqYqrQ6UmOTNERlSpwcXx4Ujj\/ftQuU3MAdSrHpDwvlJG8V3434OyaQQ78dblNHDOqOcIm3UL5vFVeeu11Ar10lwqpNk+NFgn+2DriZe1BIfTkQZAL4Pitnn2QjlLKFQ="} 00653{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1626168078654016,"flow_dst_last_pkt_time":1626168078676716,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":147,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":147,"pkt_l4_len":113,"thread_ts_usec":1626168078676716,"pkt":"8BiYFWV8WNVuaKQACABFAACFmUUAAHgR1vEICAgIwKgBeQA1yx4AcZEiotGBgAABAAEAAAAAAzIzNQIzMwIyMgEyB2luLWFkZHIEYXJwYQAADAABwAwADAABAABT5QAzDGEyLTIyLTMzLTIzNQZkZXBsb3kGc3RhdGljEmFrYW1haXRlY2hub2xvZ2llcwNjb20A"} 01035{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1626168078653044,"flow_src_last_pkt_time":1626168078654016,"flow_dst_last_pkt_time":1626168078676716,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":105,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":105,"midstream":0,"thread_ts_usec":1626168078676716,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"235.33.22.2.in-addr.arpa","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}}} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":155,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1626168078673569,"flow_src_last_pkt_time":1626168078741395,"flow_dst_last_pkt_time":1626168078741532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1318,"flow_src_tot_l4_payload_len":6192,"flow_dst_tot_l4_payload_len":5635,"midstream":1,"thread_ts_usec":1626168078741532,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":5390.1,"flow_max":66556,"flow_stddev":14758.0,"c_to_s_min":1,"c_to_s_avg":17670.2,"c_to_s_max":66556,"c_to_s_stddev":25657.0,"s_to_c_min":1,"s_to_c_avg":2831.8,"s_to_c_max":42219,"s_to_c_stddev":9384.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":938.6,"c_to_s_max":1502,"c_to_s_stddev":600.5,"s_to_c_min":54,"s_to_c_avg":279.4,"s_to_c_max":1372,"s_to_c_stddev":236.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":182,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1626168078673880,"flow_src_last_pkt_time":1626168078802752,"flow_dst_last_pkt_time":1626168078815501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1312,"flow_src_tot_l4_payload_len":8443,"flow_dst_tot_l4_payload_len":4308,"midstream":1,"thread_ts_usec":1626168078815501,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8462.6,"flow_max":48024,"flow_stddev":14206.5,"c_to_s_min":1,"c_to_s_avg":10765.2,"c_to_s_max":48024,"c_to_s_stddev":17082.4,"s_to_c_min":1,"s_to_c_avg":7081.0,"s_to_c_max":37039,"s_to_c_stddev":11947.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":757.6,"c_to_s_max":1502,"c_to_s_stddev":557.4,"s_to_c_min":54,"s_to_c_avg":270.6,"s_to_c_max":1366,"s_to_c_stddev":331.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":155,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1626168078673569,"flow_src_last_pkt_time":1626168078741395,"flow_dst_last_pkt_time":1626168078741532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1318,"flow_src_tot_l4_payload_len":6192,"flow_dst_tot_l4_payload_len":5635,"midstream":1,"thread_ts_usec":1626168078741532,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":4849.6,"flow_max":66556,"flow_stddev":14734.4,"c_to_s_min":1,"c_to_s_avg":16956.5,"c_to_s_max":66556,"c_to_s_stddev":28641.0,"s_to_c_min":1,"s_to_c_avg":2831.8,"s_to_c_max":42219,"s_to_c_stddev":9384.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":938.6,"c_to_s_max":1502,"c_to_s_stddev":600.5,"s_to_c_min":54,"s_to_c_avg":279.4,"s_to_c_max":1372,"s_to_c_stddev":236.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":182,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1626168078673880,"flow_src_last_pkt_time":1626168078802752,"flow_dst_last_pkt_time":1626168078815501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1312,"flow_src_tot_l4_payload_len":8443,"flow_dst_tot_l4_payload_len":4308,"midstream":1,"thread_ts_usec":1626168078815501,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8725.6,"flow_max":48024,"flow_stddev":14356.9,"c_to_s_min":1,"c_to_s_avg":11715.6,"c_to_s_max":48024,"c_to_s_stddev":17535.6,"s_to_c_min":1,"s_to_c_avg":7081.0,"s_to_c_max":37039,"s_to_c_stddev":11947.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":757.6,"c_to_s_max":1502,"c_to_s_stddev":557.4,"s_to_c_min":54,"s_to_c_avg":270.6,"s_to_c_max":1366,"s_to_c_stddev":331.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1626168079158693,"flow_src_last_pkt_time":1626168079158693,"flow_dst_last_pkt_time":1626168079158693,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1626168079158693,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_src_last_pkt_time":1626168079158693,"flow_dst_last_pkt_time":1626168079158693,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1626168079158693,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KaAbvsuitsAAAAALAC\/\/8ZDgAAAgQFtAEDAwYBAQgKPdH+3gAAAAAEAgAA"} 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":237,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1626168079191811,"flow_src_last_pkt_time":1626168079191811,"flow_dst_last_pkt_time":1626168079191811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1626168079191811,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/tls_long_cert.pcap.out b/test/results/tls_long_cert.pcap.out index 3a9841d29..abea9a3d7 100644 --- a/test/results/tls_long_cert.pcap.out +++ b/test/results/tls_long_cert.pcap.out @@ -7,7 +7,7 @@ 01108{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078058827,"flow_dst_last_pkt_time":1553619078058439,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1553619078058827,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01168{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078058827,"flow_dst_last_pkt_time":1553619078091883,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1553619078091883,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02753{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078093048,"flow_dst_last_pkt_time":1553619078093749,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4096,"midstream":0,"thread_ts_usec":1553619078093749,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","server_names":"www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018","subjectDN":"C=IT, ST=Roma, L=Roma, O=GEDI Digital S.r.l., CN=www.repstatic.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1"}}} -01468{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078157096,"flow_dst_last_pkt_time":1553619078157742,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1610,"flow_dst_tot_l4_payload_len":13760,"midstream":0,"thread_ts_usec":1553619078157742,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":17446852.0,"flow_max":558050888,"flow_stddev":97095352.0,"c_to_s_min":1,"c_to_s_avg":34885920.0,"c_to_s_max":558050888,"c_to_s_stddev":135080608.0,"s_to_c_min":1,"s_to_c_avg":7781.4,"s_to_c_max":30105,"s_to_c_stddev":11455.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":167.4,"c_to_s_max":902,"c_to_s_stddev":227.5,"s_to_c_min":66,"s_to_c_avg":926.5,"s_to_c_max":1514,"s_to_c_stddev":586.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01445{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078157096,"flow_dst_last_pkt_time":1553619078157742,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1610,"flow_dst_tot_l4_payload_len":13760,"midstream":0,"thread_ts_usec":1553619078157742,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8011.5,"flow_max":34221,"flow_stddev":11402.3,"c_to_s_min":1,"c_to_s_avg":8257.1,"c_to_s_max":34221,"c_to_s_stddev":11339.8,"s_to_c_min":1,"s_to_c_avg":7781.4,"s_to_c_max":30105,"s_to_c_stddev":11455.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":167.4,"c_to_s_max":902,"c_to_s_stddev":227.5,"s_to_c_min":66,"s_to_c_avg":926.5,"s_to_c_max":1514,"s_to_c_stddev":586.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01028{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":86,"flow_dst_packets_processed":96,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619149347313,"flow_dst_last_pkt_time":1553619149372363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2858,"flow_dst_tot_l4_payload_len":102711,"midstream":0,"thread_ts_usec":1553619149372363,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","packets-captured":182,"packets-processed":182,"total-skipped-flows":0,"total-l4-payload-len":105569,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1553619149372363} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/tls_verylong_certificate.pcap.out b/test/results/tls_verylong_certificate.pcap.out index ca04a45c6..36000eb5f 100644 --- a/test/results/tls_verylong_certificate.pcap.out +++ b/test/results/tls_verylong_certificate.pcap.out @@ -7,7 +7,7 @@ 01055{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908469342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578254908475203,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01115{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908490162,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1578254908490162,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 03922{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908490465,"flow_dst_last_pkt_time":1578254908490567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5472,"midstream":0,"thread_ts_usec":1578254908490567,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}} -01225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":14256465.0,"flow_max":456065543,"flow_stddev":79351256.0,"c_to_s_min":2,"c_to_s_avg":30409082.0,"c_to_s_max":456065543,"c_to_s_stddev":113761480.0,"s_to_c_min":2,"s_to_c_avg":4158.0,"s_to_c_max":21714,"s_to_c_stddev":7103.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.0,"c_to_s_max":583,"c_to_s_stddev":133.4,"s_to_c_min":66,"s_to_c_avg":895.7,"s_to_c_max":1434,"s_to_c_stddev":644.7}}} +01200{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":4559.7,"flow_max":21714,"flow_stddev":6622.1,"c_to_s_min":2,"c_to_s_avg":5047.6,"c_to_s_max":15209,"c_to_s_stddev":5949.0,"s_to_c_min":2,"s_to_c_avg":4158.0,"s_to_c_max":21714,"s_to_c_stddev":7103.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":121.0,"c_to_s_max":583,"c_to_s_stddev":133.4,"s_to_c_min":66,"s_to_c_avg":895.7,"s_to_c_max":1434,"s_to_c_stddev":644.7}}} 03925{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}} 01037{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":24,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908551114,"flow_dst_last_pkt_time":1578254908551079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":844,"flow_dst_tot_l4_payload_len":18233,"midstream":0,"thread_ts_usec":1578254908551114,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media"}} 00577{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","packets-captured":48,"packets-processed":48,"total-skipped-flows":0,"total-l4-payload-len":19077,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1578254908551114} diff --git a/test/results/tor.pcap.out b/test/results/tor.pcap.out index b36754f87..dd83607cc 100644 --- a/test/results/tor.pcap.out +++ b/test/results/tor.pcap.out @@ -71,8 +71,8 @@ 00692{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":105,"source":"tor.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1383821703288336,"flow_dst_last_pkt_time":1383821673254958,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1383821703288336,"pkt":"\/\/\/\/\/\/\/\/UlQAwqwfCABFAACsAABAAEARtfDAqAEBwKgB\/0RcRFwAmDDeeyJob3N0X2ludCI6IDY3Njg3OTk3NiwgInZlcnNpb24iOiBbMSwgOF0sICJkaXNwbGF5bmFtZSI6ICI2NzY4Nzk5NzYiLCAicG9ydCI6IDE3NTAwLCAibmFtZXNwYWNlcyI6IFsxNjc4NDEyMTYsIDE4MTA4Mzk2OCwgMTgxMDgwMzI0LCAyOTU0NDE3M119"} 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":111,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821704212955} 00348{"packet_event_id":1,"packet_event_name":"packet","packet_id":111,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821703723048,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -01824{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":117,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821668403824,"flow_src_last_pkt_time":1383821704424659,"flow_dst_last_pkt_time":1383821704566665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4598,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383821704566665,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":113,"flow_avg":2268644.0,"flow_max":31166013,"flow_stddev":7438240.0,"c_to_s_min":386,"c_to_s_avg":2602411.8,"c_to_s_max":30770666,"c_to_s_stddev":7845987.5,"s_to_c_min":113,"s_to_c_avg":2009046.6,"s_to_c_max":31166013,"s_to_c_stddev":7094095.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":384.6,"c_to_s_max":640,"c_to_s_stddev":263.1,"s_to_c_min":54,"s_to_c_avg":358.2,"s_to_c_max":1514,"s_to_c_stddev":412.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} -01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":124,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821704889950,"flow_dst_last_pkt_time":1383821704958016,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3939,"flow_dst_tot_l4_payload_len":9093,"midstream":0,"thread_ts_usec":1383821704958016,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":120,"flow_avg":14422672.0,"flow_max":382517873,"flow_stddev":66738980.0,"c_to_s_min":754,"c_to_s_avg":30141974.0,"c_to_s_max":382517873,"c_to_s_stddev":98206736.0,"s_to_c_min":120,"s_to_c_avg":2196547.5,"s_to_c_max":37995839,"s_to_c_stddev":8682991.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":337.9,"c_to_s_max":640,"c_to_s_stddev":267.5,"s_to_c_min":54,"s_to_c_avg":559.8,"s_to_c_max":1514,"s_to_c_stddev":571.0}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01824{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":117,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821668403824,"flow_src_last_pkt_time":1383821704424659,"flow_dst_last_pkt_time":1383821704566665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4598,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383821704566665,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":113,"flow_avg":2328505.8,"flow_max":31166013,"flow_stddev":7549668.5,"c_to_s_min":386,"c_to_s_avg":2770833.5,"c_to_s_max":30770666,"c_to_s_stddev":8117742.5,"s_to_c_min":113,"s_to_c_avg":2009046.6,"s_to_c_max":31166013,"s_to_c_stddev":7094095.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":384.6,"c_to_s_max":640,"c_to_s_stddev":263.1,"s_to_c_min":54,"s_to_c_avg":358.2,"s_to_c_max":1514,"s_to_c_stddev":412.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} +01581{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":124,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821704889950,"flow_dst_last_pkt_time":1383821704958016,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3939,"flow_dst_tot_l4_payload_len":9093,"midstream":0,"thread_ts_usec":1383821704958016,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":120,"flow_avg":2548633.8,"flow_max":37995839,"flow_stddev":9273754.0,"c_to_s_min":754,"c_to_s_avg":3036137.5,"c_to_s_max":37720424,"c_to_s_stddev":10014062.0,"s_to_c_min":120,"s_to_c_avg":2196547.5,"s_to_c_max":37995839,"s_to_c_stddev":8682991.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":337.9,"c_to_s_max":640,"c_to_s_stddev":267.5,"s_to_c_min":54,"s_to_c_avg":559.8,"s_to_c_max":1514,"s_to_c_stddev":571.0}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":156,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821706213267} 00348{"packet_event_id":1,"packet_event_name":"packet","packet_id":156,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821706194070,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":185,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821708213145} @@ -146,7 +146,7 @@ 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1817,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821771201495,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1818,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821774213020} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1818,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821771201495,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -01824{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1820,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1383821666407384,"flow_src_last_pkt_time":1383821774388112,"flow_dst_last_pkt_time":1383821702813857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3946,"flow_dst_tot_l4_payload_len":5300,"midstream":0,"thread_ts_usec":1383821774388112,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":90,"flow_avg":4523247.0,"flow_max":71328355,"flow_stddev":14575361.0,"c_to_s_min":357,"c_to_s_avg":7222495.0,"c_to_s_max":71328355,"c_to_s_stddev":19130536.0,"s_to_c_min":90,"s_to_c_avg":2141557.2,"s_to_c_max":34353103,"s_to_c_stddev":8053996.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":319.9,"c_to_s_max":640,"c_to_s_stddev":267.5,"s_to_c_min":54,"s_to_c_avg":366.5,"s_to_c_max":1514,"s_to_c_stddev":403.2}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} +01824{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1820,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1383821666407384,"flow_src_last_pkt_time":1383821774388112,"flow_dst_last_pkt_time":1383821702813857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3946,"flow_dst_tot_l4_payload_len":5300,"midstream":0,"thread_ts_usec":1383821774388112,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":90,"flow_avg":4657651.5,"flow_max":71328355,"flow_stddev":14789051.0,"c_to_s_min":357,"c_to_s_avg":7712909.0,"c_to_s_max":71328355,"c_to_s_stddev":19710682.0,"s_to_c_min":90,"s_to_c_avg":2141557.2,"s_to_c_max":34353103,"s_to_c_stddev":8053996.5},"pktlen": {"c_to_s_min":60,"c_to_s_avg":319.9,"c_to_s_max":640,"c_to_s_stddev":267.5,"s_to_c_min":54,"s_to_c_avg":366.5,"s_to_c_max":1514,"s_to_c_stddev":403.2}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1828,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821776213090} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1828,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821774532755,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1829,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821778213143} @@ -185,10 +185,10 @@ 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1892,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1383822131034064,"flow_dst_last_pkt_time":1383822131033681,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1383822131034064,"pkt":"UlQA2EYhUlQAWul3CABFAAAoCK9AAIAGwmLAqAH8JuVGNcfoAbv0twfgYNP3BVAQAQBhAQAAAAAAAAAA"} 01140{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1893,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822131034778,"flow_dst_last_pkt_time":1383822131033681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1383822131034778,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.jmts2id.com","tls": {"version":"TLSv1","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01452{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1896,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822131034778,"flow_dst_last_pkt_time":1383822131220406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":929,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":929,"midstream":0,"thread_ts_usec":1383822131220406,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.jmts2id.com","tls": {"version":"TLSv1","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","subjectDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}}} -01828{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1918,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822129897135,"flow_src_last_pkt_time":1383822132138706,"flow_dst_last_pkt_time":1383822132203451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4523,"flow_dst_tot_l4_payload_len":5299,"midstream":0,"thread_ts_usec":1383822132203451,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":146,"flow_avg":11596188.0,"flow_max":366530136,"flow_stddev":63748388.0,"c_to_s_min":925,"c_to_s_avg":26340836.0,"c_to_s_max":366530136,"c_to_s_stddev":94351768.0,"s_to_c_min":146,"s_to_c_avg":128128.7,"s_to_c_max":990883,"s_to_c_stddev":222057.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":379.2,"c_to_s_max":640,"c_to_s_stddev":266.2,"s_to_c_min":54,"s_to_c_avg":349.1,"s_to_c_max":1514,"s_to_c_stddev":398.3}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} +01814{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1918,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822129897135,"flow_src_last_pkt_time":1383822132138706,"flow_dst_last_pkt_time":1383822132203451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4523,"flow_dst_tot_l4_payload_len":5299,"midstream":0,"thread_ts_usec":1383822132203451,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":146,"flow_avg":146706.0,"flow_max":990883,"flow_stddev":220400.9,"c_to_s_min":925,"c_to_s_avg":172428.5,"c_to_s_max":693937,"c_to_s_stddev":215457.6,"s_to_c_min":146,"s_to_c_avg":128128.7,"s_to_c_max":990883,"s_to_c_stddev":222057.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":379.2,"c_to_s_max":640,"c_to_s_stddev":266.2,"s_to_c_min":54,"s_to_c_avg":349.1,"s_to_c_max":1514,"s_to_c_stddev":398.3}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822132212345} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822132203451,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1933,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822133768898,"flow_dst_last_pkt_time":1383822133768590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3998,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383822133768898,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":215,"flow_avg":185317.8,"flow_max":755290,"flow_stddev":161048.6,"c_to_s_min":714,"c_to_s_avg":217951.2,"c_to_s_max":755290,"c_to_s_stddev":186370.2,"s_to_c_min":215,"s_to_c_avg":159936.3,"s_to_c_max":608487,"s_to_c_stddev":132747.4},"pktlen": {"c_to_s_min":60,"c_to_s_avg":342.6,"c_to_s_max":640,"c_to_s_stddev":265.1,"s_to_c_min":54,"s_to_c_avg":358.2,"s_to_c_max":1514,"s_to_c_stddev":412.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1933,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822133768898,"flow_dst_last_pkt_time":1383822133768590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3998,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383822133768898,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":215,"flow_avg":185742.4,"flow_max":755290,"flow_stddev":163607.9,"c_to_s_min":714,"c_to_s_avg":221473.9,"c_to_s_max":755290,"c_to_s_stddev":192955.8,"s_to_c_min":215,"s_to_c_avg":159936.3,"s_to_c_max":608487,"s_to_c_stddev":132747.4},"pktlen": {"c_to_s_min":60,"c_to_s_avg":342.6,"c_to_s_max":640,"c_to_s_stddev":265.1,"s_to_c_min":54,"s_to_c_avg":358.2,"s_to_c_max":1514,"s_to_c_stddev":412.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01135{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":79,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821774457983,"flow_dst_last_pkt_time":1383821774457610,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19175,"flow_dst_tot_l4_payload_len":41545,"midstream":0,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01029{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1383821693159821,"flow_src_last_pkt_time":1383821693159821,"flow_dst_last_pkt_time":1383821693159821,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":210,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System"}} 00871{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1383821734359648,"flow_src_last_pkt_time":1383821734359648,"flow_dst_last_pkt_time":1383821734359648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"157.56.30.46","src_port":51104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -340,7 +340,7 @@ 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3826,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822262143775,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3833,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822264211946} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3833,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822264155073,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -01590{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3845,"source":"tor.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1383822129889928,"flow_src_last_pkt_time":1383822265160118,"flow_dst_last_pkt_time":1383822265159585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2761,"flow_dst_tot_l4_payload_len":5864,"midstream":0,"thread_ts_usec":1383822265160118,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":319,"flow_avg":19908212.0,"flow_max":366522929,"flow_stddev":66098216.0,"c_to_s_min":1749,"c_to_s_avg":31362070.0,"c_to_s_max":366522929,"c_to_s_stddev":89321288.0,"s_to_c_min":319,"s_to_c_avg":8454354.0,"s_to_c_max":72890007,"s_to_c_stddev":22299664.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":230.7,"c_to_s_max":640,"c_to_s_stddev":242.6,"s_to_c_min":54,"s_to_c_avg":421.2,"s_to_c_max":1514,"s_to_c_stddev":402.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3845,"source":"tor.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1383822129889928,"flow_src_last_pkt_time":1383822265160118,"flow_dst_last_pkt_time":1383822265159585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2761,"flow_dst_tot_l4_payload_len":5864,"midstream":0,"thread_ts_usec":1383822265160118,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":319,"flow_avg":8727092.0,"flow_max":72890007,"flow_stddev":22568808.0,"c_to_s_min":1749,"c_to_s_avg":9018013.0,"c_to_s_max":72591366,"c_to_s_stddev":22848812.0,"s_to_c_min":319,"s_to_c_avg":8454354.0,"s_to_c_max":72890007,"s_to_c_stddev":22299664.0},"pktlen": {"c_to_s_min":60,"c_to_s_avg":230.7,"c_to_s_max":640,"c_to_s_stddev":242.6,"s_to_c_min":54,"s_to_c_avg":421.2,"s_to_c_max":1514,"s_to_c_stddev":402.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3853,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822266211911} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3853,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822265221448,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3854,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822268211949} @@ -373,5 +373,5 @@ ~~ total allocations/frees...: 125270/125270 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 185 chars -~~ json string max len.......: 1833 chars -~~ json string avg len.......: 1009 chars +~~ json string max len.......: 1829 chars +~~ json string avg len.......: 1007 chars diff --git a/test/results/trickbot.pcap.out b/test/results/trickbot.pcap.out index bfd83de05..6034cef42 100644 --- a/test/results/trickbot.pcap.out +++ b/test/results/trickbot.pcap.out @@ -6,7 +6,7 @@ 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1609266107797418,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1609266107797418,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoc9JAAIAGK1IKDB1lUnbhxO+GG6gSdtdXYu1SXVAQ\/\/+p4QAA"} 01412{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797621,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":349,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":349,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609266107797621,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}} 01552{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797702,"flow_dst_last_pkt_time":1609266108728827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1358,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":1358,"midstream":0,"thread_ts_usec":1609266108728827,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":200,"content_type":"text\/html","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}} -01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":62379260.0,"flow_max":1991282172,"flow_stddev":346441280.0,"c_to_s_min":81,"c_to_s_avg":221496432.0,"c_to_s_max":1991282172,"c_to_s_stddev":625713792.0,"s_to_c_min":6,"s_to_c_avg":116018.0,"s_to_c_max":931085,"s_to_c_stddev":230499.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":197.2,"c_to_s_max":982,"c_to_s_stddev":297.9,"s_to_c_min":54,"s_to_c_avg":1236.2,"s_to_c_max":1514,"s_to_c_stddev":521.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01696{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":156585.2,"flow_max":931328,"flow_stddev":258444.3,"c_to_s_min":81,"c_to_s_avg":273215.9,"c_to_s_max":931328,"c_to_s_stddev":296212.4,"s_to_c_min":6,"s_to_c_avg":116018.0,"s_to_c_max":931085,"s_to_c_stddev":230499.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":197.2,"c_to_s_max":982,"c_to_s_stddev":297.9,"s_to_c_min":54,"s_to_c_avg":1236.2,"s_to_c_max":1514,"s_to_c_stddev":521.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01264{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":74,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":46,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266115947454,"flow_dst_last_pkt_time":1609266115947521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":56713,"midstream":0,"thread_ts_usec":1609266115947521,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":74,"source":"trickbot.pcap","alias":"nDPId-test","packets-captured":74,"packets-processed":74,"total-skipped-flows":0,"total-l4-payload-len":57990,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1609266115947521} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121515/121515 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 479 chars -~~ json string max len.......: 1720 chars -~~ json string avg len.......: 1073 chars +~~ json string max len.......: 1701 chars +~~ json string avg len.......: 1065 chars diff --git a/test/results/tumblr.pcap.out b/test/results/tumblr.pcap.out index 5424bc534..25f6e0e41 100644 --- a/test/results/tumblr.pcap.out +++ b/test/results/tumblr.pcap.out @@ -26,7 +26,7 @@ 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":32,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292104650967,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104650967,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292104650967,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104650967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292104650967,"pkt":"qtsDr8lk5EKm5WPyht1gBEqMACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABo9CrI3c4Bu\/+MQoWdXXNVgBAB9YSyAAABAQgKTYTpp8Lc6wE="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104716333,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292104716333,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAGj0KsgqAcsBIEmLB5kd7IUo3\/YpAbvdzp1dc1X\/jEKGgBAMSBTRAAABAQgKwt2b\/U1+nj4="} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292103810303,"flow_src_last_pkt_time":1605292105112205,"flow_dst_last_pkt_time":1605292105112063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":382,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":607,"flow_dst_tot_l4_payload_len":11474,"midstream":1,"thread_ts_usec":1605292105112205,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::98c7:1593","src_port":42908,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":81546.2,"flow_max":700859,"flow_stddev":186452.1,"c_to_s_min":11,"c_to_s_avg":81732.5,"c_to_s_max":700827,"c_to_s_stddev":187067.4,"s_to_c_min":1,"s_to_c_avg":81360.0,"s_to_c_max":700859,"s_to_c_stddev":185834.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":123.9,"c_to_s_max":468,"c_to_s_stddev":93.4,"s_to_c_min":86,"s_to_c_avg":803.1,"s_to_c_max":1486,"s_to_c_stddev":652.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292103810303,"flow_src_last_pkt_time":1605292105112205,"flow_dst_last_pkt_time":1605292105112063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":382,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":607,"flow_dst_tot_l4_payload_len":11474,"midstream":1,"thread_ts_usec":1605292105112205,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::98c7:1593","src_port":42908,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":83989.1,"flow_max":700859,"flow_stddev":188930.8,"c_to_s_min":11,"c_to_s_avg":86793.5,"c_to_s_max":700827,"c_to_s_stddev":192138.9,"s_to_c_min":1,"s_to_c_avg":81360.0,"s_to_c_max":700859,"s_to_c_stddev":185834.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":123.9,"c_to_s_max":468,"c_to_s_stddev":93.4,"s_to_c_min":86,"s_to_c_avg":803.1,"s_to_c_max":1486,"s_to_c_stddev":652.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":160,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105170049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00775{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":246,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":246,"pkt_l4_len":192,"thread_ts_usec":1605292105170049,"pkt":"qtsDr8lk5EKm5WPyht1gDdvHAMAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0oqZwBuzRq\/HZTRuvUgBgSELhfAAABAQgKdG+lysLdLW8XAwMAm7+VUv5v3n1cEKhvA7Obmk7hW69laavu9OZNOdP5v2aiE9LYEKQeHffn7vm6VstuW5LB+GPd1bdCCYxPrQ8cpXXvSrRBde7Ubgvulsw\/eGF6vJKgoYXL5h04lY18ojPm\/cV9tUPretg64t\/hG52\/jXKkQ9+5e1GR1KuJgn1MWQ\/97vN82J\/Jt388ivkqQMfP0T\/jvMqs33Elwytq"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":160,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105170049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -39,12 +39,12 @@ 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105170518,"flow_dst_last_pkt_time":1605292105195930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105195930,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAMAATSgqAcsBIEmLB5kd7IUo3\/YpAbupnFNG69Q0av0WgBAMvoDtAAABAQgKwt2d3XRvpco="} 00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105197307,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105197307,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105197307,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105197307,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OYAAAAAoAL9IHL6AAACBAWgBAIIClFT82IAAAAAAQMDBw=="} -01215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":5026.7,"flow_max":57723,"flow_stddev":12364.8,"c_to_s_min":8,"c_to_s_avg":6830.7,"c_to_s_max":57723,"c_to_s_stddev":15945.0,"s_to_c_min":1,"s_to_c_avg":3222.7,"s_to_c_max":25881,"s_to_c_stddev":6709.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":105.4,"c_to_s_max":246,"c_to_s_stddev":51.5,"s_to_c_min":86,"s_to_c_avg":839.6,"s_to_c_max":1486,"s_to_c_stddev":667.6}}} +01213{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":3326.8,"flow_max":37135,"flow_stddev":8084.0,"c_to_s_min":8,"c_to_s_avg":3437.9,"c_to_s_max":37135,"c_to_s_stddev":9328.0,"s_to_c_min":1,"s_to_c_avg":3222.7,"s_to_c_max":25881,"s_to_c_stddev":6709.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":105.4,"c_to_s_max":246,"c_to_s_stddev":51.5,"s_to_c_min":86,"s_to_c_avg":839.6,"s_to_c_max":1486,"s_to_c_stddev":667.6}}} 00900{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":146,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105230486,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSYGKAABNRVaI7oLKiX\/Ei0qAcsBIEmLB5kd7IUo3\/YpAbvkDMLhfl2n7vTnoBJXgHalAAACBAV4AQMDAwQCCArC3Z3zUVPzYg=="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":150,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105230554,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105230554,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaACAGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OfC4X5egBAB+\/qVAAABAQgKUVPzg8LdnfM="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":154,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105231042,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105231042,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":3812.2,"flow_max":45055,"flow_stddev":9281.8,"c_to_s_min":9,"c_to_s_avg":3844.8,"c_to_s_max":45055,"c_to_s_stddev":10819.0,"s_to_c_min":1,"s_to_c_avg":3779.8,"s_to_c_max":27249,"s_to_c_stddev":7433.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":108.6,"c_to_s_max":198,"c_to_s_stddev":42.0,"s_to_c_min":86,"s_to_c_avg":1136.0,"s_to_c_max":1486,"s_to_c_stddev":606.2}}} +01215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":3903.1,"flow_max":45055,"flow_stddev":9416.3,"c_to_s_min":9,"c_to_s_avg":4034.6,"c_to_s_max":45055,"c_to_s_stddev":11148.0,"s_to_c_min":1,"s_to_c_avg":3779.8,"s_to_c_max":27249,"s_to_c_stddev":7433.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":108.6,"c_to_s_max":198,"c_to_s_stddev":42.0,"s_to_c_min":86,"s_to_c_avg":1136.0,"s_to_c_max":1486,"s_to_c_stddev":606.2}}} 00900{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":345,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105274861,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105274861,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZYAAAAAoAL9IG8jAAACBAWgBAIIClFT868AAAAAAQMDBw=="} @@ -53,7 +53,7 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105299399,"flow_dst_last_pkt_time":1605292105299371,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105299399,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACAGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZeG572bgBAB+\/MzAAABAQgKUVPzyMLdnkM="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":378,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105299606,"flow_dst_last_pkt_time":1605292105299371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105299606,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01197{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":397,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105322435,"flow_dst_last_pkt_time":1605292105340527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":99,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":99,"midstream":0,"thread_ts_usec":1605292105340527,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01371{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":411,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105347875,"flow_dst_last_pkt_time":1605292105347850,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1519,"flow_dst_tot_l4_payload_len":5784,"midstream":0,"thread_ts_usec":1605292105347875,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11203.3,"flow_max":47694,"flow_stddev":16749.7,"c_to_s_min":3,"c_to_s_avg":9496.6,"c_to_s_max":47160,"c_to_s_stddev":15860.0,"s_to_c_min":1,"s_to_c_avg":13685.7,"s_to_c_max":47694,"s_to_c_stddev":17673.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":181.4,"c_to_s_max":609,"c_to_s_stddev":172.9,"s_to_c_min":86,"s_to_c_avg":448.0,"s_to_c_max":1294,"s_to_c_stddev":475.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01372{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":411,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105347875,"flow_dst_last_pkt_time":1605292105347850,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1519,"flow_dst_tot_l4_payload_len":5784,"midstream":0,"thread_ts_usec":1605292105347875,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11581.2,"flow_max":47694,"flow_stddev":16955.4,"c_to_s_min":3,"c_to_s_avg":10037.9,"c_to_s_max":47160,"c_to_s_stddev":16236.4,"s_to_c_min":1,"s_to_c_avg":13685.7,"s_to_c_max":47694,"s_to_c_stddev":17673.5},"pktlen": {"c_to_s_min":86,"c_to_s_avg":181.4,"c_to_s_max":609,"c_to_s_stddev":172.9,"s_to_c_min":86,"s_to_c_avg":448.0,"s_to_c_max":1294,"s_to_c_stddev":475.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":432,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292105418417,"flow_dst_last_pkt_time":1605292105418417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105418417,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":432,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105418417,"flow_dst_last_pkt_time":1605292105418417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105418417,"pkt":"qtsDr8lk5EKm5WPyht1gDBurACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABgBgdJmPABuw7mG3sAAAAAoAL9IOHqAAACBAWgBAIIChNm5EYAAAAAAQMDBw=="} 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":433,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105433892,"flow_src_last_pkt_time":1605292105433892,"flow_dst_last_pkt_time":1605292105433892,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105433892,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2001:4998:14:800::1001","src_port":47118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -70,7 +70,7 @@ 00886{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":454,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105669051,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":120,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105669051,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":455,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1605292105669426,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":125,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":125,"pkt_l4_len":71,"thread_ts_usec":1605292105669426,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAEcGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOsYW2C\/9gBhA0ehRAAABAQgKBcmbrMLdLRcXAwMAIgQb59HIMHYAgoaCAJqbMMjq72ntBt\/\/eGErLyXH34Iczsk="} 00733{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":456,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105669518,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":215,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":215,"pkt_l4_len":161,"thread_ts_usec":1605292105669518,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAKEGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOu0W2C\/9gBhA0aEtAAABAQgKBcmbrMLdLRcXAwMAfBkhBkIFqMuMKjD1\/xjqGp2hEKMP3ziLomYjJXbyDDBzMNKC8MmFqfqAj9+xvxfAO7rBldu4UpazYVXmg399TnFcypI7qckvMpQyy6kehQ5F75J5BlTYjgokme9I6h8+9mS8Y6D2WQEp5qh0Ix9\/vReZo1xT0xocl8k7wFQ="} -01219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":8457.1,"flow_max":134317,"flow_stddev":25813.3,"c_to_s_min":8,"c_to_s_avg":13254.4,"c_to_s_max":134317,"c_to_s_stddev":34591.0,"s_to_c_min":1,"s_to_c_avg":3659.9,"s_to_c_max":36646,"s_to_c_stddev":9491.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":123.5,"c_to_s_max":216,"c_to_s_stddev":50.8,"s_to_c_min":86,"s_to_c_avg":703.4,"s_to_c_max":1486,"s_to_c_stddev":679.2}}} +01214{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":3795.7,"flow_max":36646,"flow_stddev":9087.4,"c_to_s_min":8,"c_to_s_avg":3941.9,"c_to_s_max":26419,"c_to_s_stddev":8629.2,"s_to_c_min":1,"s_to_c_avg":3659.9,"s_to_c_max":36646,"s_to_c_stddev":9491.1},"pktlen": {"c_to_s_min":86,"c_to_s_avg":123.5,"c_to_s_max":216,"c_to_s_stddev":50.8,"s_to_c_min":86,"s_to_c_avg":703.4,"s_to_c_max":1486,"s_to_c_stddev":679.2}}} 00901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00792{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":492,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105726518,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":127,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":127,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":127,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105726518,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4c03","src_port":51874,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":492,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":213,"pkt_l4_len":159,"thread_ts_usec":1605292105726518,"pkt":"qtsDr8lk5EKm5WPyht1gBYNxAJ8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAEwDyqIBu7npntnZTJergBgB9damAAABAQgKLIniTsLdLfkXAwMAepLzP8oRHbXAD5D56fW\/ezxXNRxKdaqM6BwQpjw0zyORx06Rl8gHWinoWY19NxmIXl2owLgVHJ\/UEVkHmda\/PMinu6FgCqLeUi5RUsVJaGqL1ulKRH6Mi5nxYau2z9M9f+jUaBIVXH47AOoxy+jPs5YTh+8Es3OdfTIr"} @@ -96,7 +96,7 @@ 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2849,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1605292108917920,"flow_dst_last_pkt_time":1605292108917845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292108917920,"pkt":"qtsDr8lk5EKm5WPyht1gCOgvACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3goBu3qld1Md4lVGgBAB+8BsAAABAQgKBcmoXMLdrGc="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2850,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292108918360,"flow_dst_last_pkt_time":1605292108917845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292108918360,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"64.media.tumblr.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01201{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2953,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292108918360,"flow_dst_last_pkt_time":1605292108973288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1605292108973288,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"64.media.tumblr.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3670,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292109072597,"flow_dst_last_pkt_time":1605292109072571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1335,"flow_dst_tot_l4_payload_len":7988,"midstream":0,"thread_ts_usec":1605292109072597,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":14899.2,"flow_max":70171,"flow_stddev":22338.7,"c_to_s_min":4,"c_to_s_avg":14988.4,"c_to_s_max":62426,"c_to_s_stddev":23434.3,"s_to_c_min":1,"s_to_c_avg":14780.2,"s_to_c_max":70171,"s_to_c_stddev":20787.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":169.9,"c_to_s_max":603,"c_to_s_stddev":155.4,"s_to_c_min":86,"s_to_c_avg":585.8,"s_to_c_max":1486,"s_to_c_stddev":602.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3670,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292109072597,"flow_dst_last_pkt_time":1605292109072571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1335,"flow_dst_tot_l4_payload_len":7988,"midstream":0,"thread_ts_usec":1605292109072597,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":13139.0,"flow_max":70171,"flow_stddev":20754.3,"c_to_s_min":4,"c_to_s_avg":11825.9,"c_to_s_max":59732,"c_to_s_stddev":20633.9,"s_to_c_min":1,"s_to_c_avg":14780.2,"s_to_c_max":70171,"s_to_c_stddev":20787.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":169.9,"c_to_s_max":603,"c_to_s_stddev":155.4,"s_to_c_min":86,"s_to_c_avg":585.8,"s_to_c_max":1486,"s_to_c_stddev":602.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12579,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292114506948,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114506948,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292114506948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12579,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114506948,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292114506948,"pkt":"qtsDr8lk5EKm5WPyht1gCYCjACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3O4Bu5iknWH70O\/fgBATex8tAAABAQgKqXtvnsLdEcs="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12580,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114736576,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292114736576,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvc7vvQ79+YpJ1igBBY1dkNAAABAQgKwt3C3al6v1A="} @@ -167,7 +167,7 @@ 01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23421,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121507997,"flow_dst_last_pkt_time":1605292121697370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1605292121697370,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01612{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23427,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121697627,"flow_dst_last_pkt_time":1605292121698447,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5097,"midstream":0,"thread_ts_usec":1605292121698447,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_src_last_pkt_time":1605292121674877,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292121698552,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgXAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbvZCJmV\/O79d79\/gBALlo7gAAABAQgKwt3eUxu5BaQ="} -01230{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":45591.0,"flow_max":553968,"flow_stddev":105088.2,"c_to_s_min":14,"c_to_s_avg":61475.5,"c_to_s_max":553968,"c_to_s_stddev":138111.8,"s_to_c_min":1,"s_to_c_avg":28647.5,"s_to_c_max":160398,"s_to_c_stddev":43824.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":159.9,"c_to_s_max":603,"c_to_s_stddev":158.1,"s_to_c_min":86,"s_to_c_avg":776.1,"s_to_c_max":1486,"s_to_c_stddev":656.6}}} +01228{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":28645.1,"flow_max":189403,"flow_stddev":50095.8,"c_to_s_min":14,"c_to_s_avg":28642.7,"c_to_s_max":189403,"c_to_s_stddev":55665.2,"s_to_c_min":1,"s_to_c_avg":28647.5,"s_to_c_max":160398,"s_to_c_stddev":43824.2},"pktlen": {"c_to_s_min":86,"c_to_s_avg":159.9,"c_to_s_max":603,"c_to_s_stddev":158.1,"s_to_c_min":86,"s_to_c_avg":776.1,"s_to_c_max":1486,"s_to_c_stddev":656.6}}} 01616{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}} 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122064463,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122064463,"pkt":"qtsDr8lk5EKm5WPyht1gAy+bACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICQAAAAAAACAOwYwBu0AeaGkAAAAAoAL9IOE8AAACBAWgBAIICthbOh0AAAAAAQMDBw=="} @@ -179,15 +179,15 @@ 01157{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":23657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122094987,"flow_dst_last_pkt_time":1605292122094721,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122094987,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122095843,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122095843,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122095843,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122095843,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5CzgAAAAAoAL9IPiAAAACBAWgBAIIChLBJ8gAAAAAAQMDBw=="} -01249{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":33465898.0,"flow_max":831082437,"flow_stddev":159607552.0,"c_to_s_min":2,"c_to_s_avg":56706524.0,"c_to_s_max":831082437,"c_to_s_stddev":207017360.0,"s_to_c_min":1,"s_to_c_avg":1774133.1,"s_to_c_max":19513573,"s_to_c_stddev":5609703.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":94.8,"c_to_s_max":172,"c_to_s_stddev":23.6,"s_to_c_min":86,"s_to_c_avg":1072.4,"s_to_c_max":1134,"s_to_c_stddev":246.6}}} +01241{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":1561236.4,"flow_max":19513573,"flow_stddev":5287922.5,"c_to_s_min":2,"c_to_s_avg":1393960.2,"c_to_s_max":19473275,"c_to_s_stddev":5014310.0,"s_to_c_min":1,"s_to_c_avg":1774133.1,"s_to_c_max":19513573,"s_to_c_stddev":5609703.0},"pktlen": {"c_to_s_min":86,"c_to_s_avg":94.8,"c_to_s_max":172,"c_to_s_stddev":23.6,"s_to_c_min":86,"s_to_c_avg":1072.4,"s_to_c_max":1134,"s_to_c_stddev":246.6}}} 00901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24118,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122163288,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuW0O3zbp+IuQs5oBJXgJ7NAAACBAV4AQMDAwQCCArC3d\/9EsEnyA=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24126,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122163315,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122163315,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5Cznt826ggBAB+yKbAAABAQgKEsEoDMLd3\/0="} 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24188,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122163584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ajax.googleapis.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01202{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24239,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122094987,"flow_dst_last_pkt_time":1605292122177975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605292122177975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01214{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122212637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605292122212637,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ajax.googleapis.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01385{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24477,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122274057,"flow_dst_last_pkt_time":1605292122274042,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":982,"flow_dst_tot_l4_payload_len":8808,"midstream":0,"thread_ts_usec":1605292122274057,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":11896.9,"flow_max":67472,"flow_stddev":20106.5,"c_to_s_min":3,"c_to_s_avg":10512.3,"c_to_s_max":67472,"c_to_s_stddev":18733.2,"s_to_c_min":1,"s_to_c_avg":13707.6,"s_to_c_max":67445,"s_to_c_stddev":21638.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":144.2,"c_to_s_max":603,"c_to_s_stddev":133.0,"s_to_c_min":86,"s_to_c_avg":673.7,"s_to_c_max":1294,"s_to_c_stddev":539.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01377{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24501,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122281616,"flow_dst_last_pkt_time":1605292122282509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":9011,"midstream":0,"thread_ts_usec":1605292122282509,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":15090.5,"flow_max":83018,"flow_stddev":20614.4,"c_to_s_min":2,"c_to_s_avg":14666.8,"c_to_s_max":83018,"c_to_s_stddev":21461.2,"s_to_c_min":1,"s_to_c_avg":15574.7,"s_to_c_max":70679,"s_to_c_stddev":19590.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.6,"c_to_s_max":603,"c_to_s_stddev":134.3,"s_to_c_min":86,"s_to_c_avg":649.7,"s_to_c_max":1294,"s_to_c_stddev":553.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01385{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24477,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122274057,"flow_dst_last_pkt_time":1605292122274042,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":982,"flow_dst_tot_l4_payload_len":8808,"midstream":0,"thread_ts_usec":1605292122274057,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":12290.1,"flow_max":67472,"flow_stddev":20336.5,"c_to_s_min":3,"c_to_s_avg":11138.4,"c_to_s_max":67472,"c_to_s_stddev":19136.4,"s_to_c_min":1,"s_to_c_avg":13707.6,"s_to_c_max":67445,"s_to_c_stddev":21638.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":144.2,"c_to_s_max":603,"c_to_s_stddev":133.0,"s_to_c_min":86,"s_to_c_avg":673.7,"s_to_c_max":1294,"s_to_c_stddev":539.3}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01377{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24501,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122281616,"flow_dst_last_pkt_time":1605292122282509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":9011,"midstream":0,"thread_ts_usec":1605292122282509,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":15006.9,"flow_max":83018,"flow_stddev":20961.8,"c_to_s_min":2,"c_to_s_avg":14476.9,"c_to_s_max":83018,"c_to_s_stddev":22152.0,"s_to_c_min":1,"s_to_c_avg":15574.7,"s_to_c_max":70679,"s_to_c_stddev":19590.7},"pktlen": {"c_to_s_min":86,"c_to_s_avg":146.6,"c_to_s_max":603,"c_to_s_stddev":134.3,"s_to_c_min":86,"s_to_c_avg":649.7,"s_to_c_max":1294,"s_to_c_stddev":553.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00716{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24626,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122439986,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":203,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":203,"pkt_l4_len":149,"thread_ts_usec":1605292122439986,"pkt":"qtsDr8lk5EKm5WPyht1gDKQRAJUGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFwAAAAAAACAK2QgBu\/13v3+ZlfzugBgB9aL3AAABAQgKG7m5ccLd3lMXAwMAcFVxaXihuhejZCNpZ5nuv6bEN9Yj5XMBxAt2QHwyRgmT6ybDwC5C73DyglYgxmIhMzt282zpUtE5GphT7ONBXskP6qssi1eNQHysgmBFeTvR+6kSeL0yhYhtFPIEYfWd8KPo3wOHIQIgFNXMNqMrZ9Q="} 00892{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24626,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1605292121674877,"flow_src_last_pkt_time":1605292122439986,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":117,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":117,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122439986,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:817::200a","src_port":55560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00644{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122501104,"flow_dst_last_pkt_time":1605292104716333,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":149,"pkt_l4_len":95,"thread_ts_usec":1605292122501104,"pkt":"qtsDr8lk5EKm5WPyht1gBEqMAF8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABo9CrI3c4Bu\/+MQoadXXNVgBgB9QaPAAABAQgKTYUvYcLdm\/0XAwMAOgAAAAAAAAAIvZM7k4G8cjK7Q9\/YrVI4eMbPvi74lWEwjtUtgcQJsZEKgX5x1KPe5+ARIWOSp6YRK8o="} @@ -201,7 +201,7 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24694,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122698834,"flow_dst_last_pkt_time":1605292122698834,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122698834,"pkt":"qtsDr8lk5EKm5WPyht1gCuvGACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABKcpoVprIBu3ASIMYXhL6qgBAB9S93AAABAQgKNSTnjcLdLMU="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24706,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122698834,"flow_dst_last_pkt_time":1605292122741055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122741055,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAEpymhUqAcsBIEmLB5kd7IUo3\/YpAbumsheEvqpwEiDHgBALdyXtAAABAQgKwt3iZjUkMfM="} 01197{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24707,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122674024,"flow_src_last_pkt_time":1605292122698360,"flow_dst_last_pkt_time":1605292122755298,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":620,"flow_dst_max_l4_payload_len":270,"flow_src_tot_l4_payload_len":620,"flow_dst_tot_l4_payload_len":270,"midstream":0,"thread_ts_usec":1605292122755298,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement","hostname":"sb.scorecardresearch.com","tls": {"version":"TLSv1.3","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01392{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24724,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292122813676,"flow_dst_last_pkt_time":1605292122725006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":764,"flow_dst_max_l4_payload_len":1279,"flow_src_tot_l4_payload_len":4217,"flow_dst_tot_l4_payload_len":4676,"midstream":0,"thread_ts_usec":1605292122813676,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":98,"flow_avg":1093994.6,"flow_max":16588707,"flow_stddev":3997835.2,"c_to_s_min":98,"c_to_s_avg":1041249.3,"c_to_s_max":16556740,"c_to_s_stddev":3880200.2,"s_to_c_min":1834,"s_to_c_avg":1153772.5,"s_to_c_max":16588707,"s_to_c_stddev":4126288.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":334.5,"c_to_s_max":850,"c_to_s_stddev":298.6,"s_to_c_min":86,"s_to_c_avg":398.3,"s_to_c_max":1365,"s_to_c_stddev":430.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement"}} +01392{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24724,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292122813676,"flow_dst_last_pkt_time":1605292122725006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":764,"flow_dst_max_l4_payload_len":1279,"flow_src_tot_l4_payload_len":4217,"flow_dst_tot_l4_payload_len":4676,"midstream":0,"thread_ts_usec":1605292122813676,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":98,"flow_avg":1119414.5,"flow_max":16588707,"flow_stddev":4059258.8,"c_to_s_min":98,"c_to_s_avg":1087203.8,"c_to_s_max":16556740,"c_to_s_stddev":3995128.2,"s_to_c_min":1834,"s_to_c_avg":1153772.5,"s_to_c_max":16588707,"s_to_c_stddev":4126288.8},"pktlen": {"c_to_s_min":86,"c_to_s_avg":334.5,"c_to_s_max":850,"c_to_s_stddev":298.6,"s_to_c_min":86,"s_to_c_avg":398.3,"s_to_c_max":1365,"s_to_c_stddev":430.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement"}} 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122874816,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122874816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122874816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122874816,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122874816,"pkt":"qtsDr8lk5EKm5WPyht1gDJQ7ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICgAAAAAAACAKnP4Bu4CgSN\/gvLosgBAB9qrlAAABAQgK1OQQnsLdMvM="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24745,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122899206,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122899206,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgKAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuc\/uC8uiyAoEjggBALQrp6AAABAQgKwt3jAtThR68="} diff --git a/test/results/tunnelbear.pcap.out b/test/results/tunnelbear.pcap.out index c3a532b22..cc2902f9d 100644 --- a/test/results/tunnelbear.pcap.out +++ b/test/results/tunnelbear.pcap.out @@ -36,7 +36,7 @@ 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1655734524482823,"flow_dst_last_pkt_time":1655734524482578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734524482823,"pkt":"ABoRAAACABoRAAABCABFAAAo3gtAAEAGvAcKCAABovfzvLmIAbsjcXmi3I6GX1AQ\/\/9T0gAA"} 01047{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1655734524480852,"flow_src_last_pkt_time":1655734524484592,"flow_dst_last_pkt_time":1655734524482578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734524484592,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":47496,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01507{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":94,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734524480852,"flow_src_last_pkt_time":1655734524484592,"flow_dst_last_pkt_time":1655734524597187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3864,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3864,"midstream":0,"thread_ts_usec":1655734524597187,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":47496,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","server_names":"*.newrelic.com,newrelic.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com","alpn":"http\/1.1","fingerprint":"90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77"}}} -01467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734524335198,"flow_src_last_pkt_time":1655734524914388,"flow_dst_last_pkt_time":1655734524915156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3657,"flow_src_tot_l4_payload_len":2952,"flow_dst_tot_l4_payload_len":9379,"midstream":0,"thread_ts_usec":1655734524915156,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14,"flow_avg":36700.5,"flow_max":265866,"flow_stddev":59395.2,"c_to_s_min":14,"c_to_s_avg":37153.6,"c_to_s_max":265866,"c_to_s_stddev":64746.4,"s_to_c_min":99,"s_to_c_avg":36247.4,"s_to_c_max":214474,"s_to_c_stddev":53507.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":239.8,"c_to_s_max":590,"c_to_s_stddev":219.8,"s_to_c_min":54,"s_to_c_avg":640.2,"s_to_c_max":3711,"s_to_c_stddev":1091.4}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734524335198,"flow_src_last_pkt_time":1655734524914388,"flow_dst_last_pkt_time":1655734524915156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3657,"flow_src_tot_l4_payload_len":2952,"flow_dst_tot_l4_payload_len":9379,"midstream":0,"thread_ts_usec":1655734524915156,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":14,"flow_avg":37391.9,"flow_max":265866,"flow_stddev":60218.7,"c_to_s_min":14,"c_to_s_avg":38612.7,"c_to_s_max":265866,"c_to_s_stddev":66614.6,"s_to_c_min":99,"s_to_c_avg":36247.4,"s_to_c_max":214474,"s_to_c_stddev":53507.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":239.8,"c_to_s_max":590,"c_to_s_stddev":219.8,"s_to_c_min":54,"s_to_c_avg":640.2,"s_to_c_max":3711,"s_to_c_stddev":1091.4}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":132,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734525210582,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525210582,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734525210582,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45124,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525210582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1655734525210582,"pkt":"ABoRAAACABoRAAABCABFAAA8oPNAAEAGtIYKCAABaBFzKLBEAbsaEwikAAAAAKAC\/\/\/kSwAAAgQFtAQCCAoBY6hXAAAAAAEDAwg="} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525218112,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734525218112,"pkt":"ABoRAAACABoRAAABCABFAAAoAJJAABAGhPxoEXMoCggAAQG7sETl7PdbGhMIpVAS\/\/8YkAAA"} @@ -49,7 +49,7 @@ 01061{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":143,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525224208,"flow_dst_last_pkt_time":1655734525221695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734525224208,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":145,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525224208,"flow_dst_last_pkt_time":1655734525281832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734525281832,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":147,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734525210582,"flow_src_last_pkt_time":1655734525221986,"flow_dst_last_pkt_time":1655734525332870,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734525332870,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45124,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} -01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":186,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525773780,"flow_dst_last_pkt_time":1655734525773395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":749,"flow_src_tot_l4_payload_len":2295,"flow_dst_tot_l4_payload_len":1194,"midstream":0,"thread_ts_usec":1655734525773780,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":128,"flow_avg":34947.7,"flow_max":233720,"flow_stddev":54265.6,"c_to_s_min":138,"c_to_s_avg":35199.9,"c_to_s_max":233720,"c_to_s_stddev":59707.5,"s_to_c_min":128,"s_to_c_avg":34695.5,"s_to_c_max":196795,"s_to_c_stddev":48212.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":198.7,"c_to_s_max":590,"c_to_s_stddev":207.0,"s_to_c_min":54,"s_to_c_avg":128.6,"s_to_c_max":803,"s_to_c_stddev":182.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":186,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525773780,"flow_dst_last_pkt_time":1655734525773395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":749,"flow_src_tot_l4_payload_len":2295,"flow_dst_tot_l4_payload_len":1194,"midstream":0,"thread_ts_usec":1655734525773780,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":128,"flow_avg":35827.1,"flow_max":233720,"flow_stddev":54909.0,"c_to_s_min":138,"c_to_s_avg":37034.2,"c_to_s_max":233720,"c_to_s_stddev":61227.5,"s_to_c_min":128,"s_to_c_avg":34695.5,"s_to_c_max":196795,"s_to_c_stddev":48212.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":198.7,"c_to_s_max":590,"c_to_s_stddev":207.0,"s_to_c_min":54,"s_to_c_avg":128.6,"s_to_c_max":803,"s_to_c_stddev":182.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":190,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734754614463,"flow_src_last_pkt_time":1655734754614463,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1655734754614463,"l3_proto":"ip4","src_ip":"10.158.132.91","dst_ip":"104.17.114.40","src_port":38398,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":190,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1655734754614463,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734754614463,"pkt":"ABoRAAACABoRAAABCABFAAAoVtFAAEAGeswKnoRbaBFyKJX+AbuhM960Ee9+klAQAVedJwAA"} 01213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":191,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1655734754615913,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":571,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":571,"pkt_l4_len":537,"thread_ts_usec":1655734754615913,"pkt":"ABoRAAACABoRAAABCABFAAItVtJAAEAGeMYKnoRbaBFyKJX+AbuhM960Ee9+klAYAVc2sQAAFgMBAgABAAH8AwOffU2PEFvusphnSRt4iypv4+ZmiFJN5MhWLpPRgxBGWyBzS35friOfAWwzRvK4nOaCBJAbSD\/HvnzVJtlqjl91KAAYwCvALMypwC\/AMMyowBPAFACcAJ0ALwA1AQABm\/8BAAEAAAAAGQAXAAAUYXBpLnBvbGFyZ3JpenpseS5jb20AFwAAACMAwMEVNlaL0tdGnm3V54JqurXqfhCsyPABZtbMnzb26AxMffuozfeg4IKaCIbNJ3q2zznlQTcn2vtZGw2LgspfFkx\/\/ulZltuMfvovkdu6OxfbcYa5VnIF3xidmaUJ8SUPb79tJJFaBhFXEN61mvGK7zPpvVrV3mTyXEwUGGWTkZAGHvhktDm3FDiaeMeQoyzU\/JxID7YfTFAEkYxMS3+IaSjPuX3oi2kUbrLhwugcx7H6N+6QUOak1x1EA8eU6f8ZVAANABQAEgQDCAQEAQUDCAUFAQgGBgECAQAFAAUBAAAAAAAQAA4ADAJoMghodHRwLzEuMQALAAIBAAAKAAgABgAdABcAGAAVAGgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="} @@ -126,7 +126,7 @@ 01122{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":312,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776538093,"flow_src_last_pkt_time":1655734776541777,"flow_dst_last_pkt_time":1655734776872181,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734776872181,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33848,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01521{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":313,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776512617,"flow_src_last_pkt_time":1655734776537556,"flow_dst_last_pkt_time":1655734776874125,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5473,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5473,"midstream":0,"thread_ts_usec":1655734776874125,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.154.236","src_port":50904,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.tunnelbear.com","tls": {"version":"TLSv1.2","server_names":"*.tunnelbear.com,tunnelbear.com","ja3":"a1c672bda2bda1a05bdca801144b2760","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tunnelbear.com","alpn":"h2,http\/1.1","fingerprint":"52:96:E2:83:CC:15:4E:B3:0F:5B:1D:E2:E8:FF:4E:A9:C4:E9:C0:AF"}}} 01509{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":370,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776705767,"flow_src_last_pkt_time":1655734776708195,"flow_dst_last_pkt_time":1655734776969484,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3864,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3864,"midstream":0,"thread_ts_usec":1655734776969484,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":48222,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","server_names":"*.newrelic.com,newrelic.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com","alpn":"http\/1.1","fingerprint":"90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77"}}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":385,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1655734776460292,"flow_src_last_pkt_time":1655734776909928,"flow_dst_last_pkt_time":1655734777250607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2900,"flow_src_tot_l4_payload_len":3230,"flow_dst_tot_l4_payload_len":3163,"midstream":0,"thread_ts_usec":1655734777250607,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33830,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":402553.3,"flow_max":11641755,"flow_stddev":2020305.0,"c_to_s_min":25,"c_to_s_avg":806092.8,"c_to_s_max":11641755,"c_to_s_stddev":2896725.5,"s_to_c_min":59,"s_to_c_avg":46489.1,"s_to_c_max":340372,"s_to_c_stddev":93619.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":270.7,"c_to_s_max":590,"c_to_s_stddev":212.0,"s_to_c_min":54,"s_to_c_avg":240.1,"s_to_c_max":2954,"s_to_c_stddev":679.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01348{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":385,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1655734776460292,"flow_src_last_pkt_time":1655734776909928,"flow_dst_last_pkt_time":1655734777250607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2900,"flow_src_tot_l4_payload_len":3230,"flow_dst_tot_l4_payload_len":3163,"midstream":0,"thread_ts_usec":1655734777250607,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33830,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":25,"flow_avg":39998.4,"flow_max":340372,"flow_stddev":83812.5,"c_to_s_min":25,"c_to_s_avg":32116.9,"c_to_s_max":240091,"c_to_s_stddev":69270.4,"s_to_c_min":59,"s_to_c_avg":46489.1,"s_to_c_max":340372,"s_to_c_stddev":93619.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":270.7,"c_to_s_max":590,"c_to_s_stddev":212.0,"s_to_c_min":54,"s_to_c_avg":240.1,"s_to_c_max":2954,"s_to_c_stddev":679.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":414,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734777904202,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777904202,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734777904202,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33858,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":414,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777904202,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1655734777904202,"pkt":"ABoRAAACABoRAAABCABFAAA8VQtAAEAGAW8KCAABaBFyKIRCAbtalsosAAAAAKAC\/\/8YcQAAAgQFtAQCCAoBZJ8nAAAAAAEDAwg="} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":415,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777909352,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734777909352,"pkt":"ABoRAAACABoRAAABCABFAAAoALVAABAGhdloEXIoCggAAQG7hEKlaTXTWpbKLVAS\/\/9FkgAA"} diff --git a/test/results/ultrasurf.pcap.out b/test/results/ultrasurf.pcap.out index e6bb9eedb..23bcbdbb5 100644 --- a/test/results/ultrasurf.pcap.out +++ b/test/results/ultrasurf.pcap.out @@ -5,21 +5,21 @@ 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731609846,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":2576,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2576,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731609846,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 04022{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1656652731609853,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2646,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":2646,"pkt_l4_len":2608,"thread_ts_usec":1656652731609853,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAKRM7vQAA3BtrfQTFEGQqEABfDhZQKC2ONCUpUkTKAEAFmmhsAAAEBCAom3sgHA1a0\/YkZzIRfJcoGEDhjun+5RWZFRHORheFaka9qWEEqwSnKRQ8+fGAhhFa7EN5cpLsXBaX2yHZz8DtP4L0FIaDBHwFd5rA4GP5cmI7bfwLgg4FVeGP7SjUTC6qb+HQHzgd9GKJejKikQgtNuMoyW+WltSykS7MMuwC9XmFm880JdkonHY1odOp0bZesqC0Ef58K3CfEAwAV1rHerMtEb3ZHcVOr9dSu4VHvVdRPp+8WfCOtT114DN9xODhN5xizXNsKGb1Vqn77M3rN9osNOzf3tytH8Pevd1aIgf3Sm6YXA7VR5D7dvmhs0FN4QC+LDtkE\/6thA0uo\/lnZqMEIHcwUsGe918WbIwSGOk2MJbaAbJZUODyOfxe+T03WsJGCGLuDQ0m7AsMClrqgh8OHbm5U9HMCsMr4h4pvEhR0z2I+R7A\/GAWfQ1Lv84asTQ\/KcjVoTGNO\/qR9qnBDPz02vpUg0t1qIn5OZjHUJc1XlP7bcvV\/wKw3OfG2mX63GGvc7i7QZES09OVvvvQOx27EiD1xANcAMElPBG4AZ\/1ImDDO55WnYWPfINUR0Htt3CDZHS99b7xjoML0TE0baQJ3Jm38p3DdfsEGrsmIokmWO1TpdGRxB4MJLY3wn7Tw4tqDNqBMVruqsIN3XOP1je5K4jtfip7MN5mhXqQwq26JbXu4RN0QZgBwifB\/DFQoswvG8No+jWGMXSh9v0kJl9fw8bhx9lZpA3tQmLgRL3sOqJAHaqHBZRkJhuHh+Rjm\/6hTfFQ00ehtauLThf9ezdb2uY49gvz2DGebsNmTjFsOx+X4R9hsdpnezkh4aEpX5uL1bXi1H6uS64VjoFNEDHQpZ+3uZrYCmJilgBV0bv0nVghQl4kU33Pf7GIoPZuXhIQfS9VrHsdHbZpH1PU8M\/9PRmRmYlmeapu7XEZp4CzDGYPDSedJ8vQLqPyHzVwGcjHckBVdpjNiPAG5UPQoZ3wCl\/PxEywufemrmfmR\/5AqOpW8\/Wur6zMxw5YPRRe\/bygJ0G9Yqw0LVPvEBxGwFY9uVVI6IGaHAasiMKQLbkze7bdXM6QNfYFDnbbaxoOEV8QDh7YIhuz4gfbAW6eyQbJT2jQKjEHkd0tMaupNho4gKsMUwsj4nZlzTYJVJpDMcLimISegAqBKQ4i8foUUKiadz6eosf+e\/Jex37VfE+krt3zlcpISr8HTnFM1USFF0+9ct3a5KjyNHIWXBbdEjluidEueiRiWyxf4cTH4FbCD2xO9GNRkq9QZppurtJaFbRjXCrw9UUutzbcN9EQ4Cq+gKBSyYXwmUbkSGOLO9rE323nvwyvDcYVdrUsP+BGDklMzvNUHuJnRFouZ1R0WCXxlJrCNrMkgI+iuTt0BJzGXzfEkqc7fmNoiossOF4BZK08wWnsMWJPMsI5Aw3iU49xeiNCj74DW2jR92gY79iEsFrre1ny3NbSwl8EGB091wIYQyL7Ho3Xf3P3gT7nJkJZVIupHy1AL3OnXFLu0aQ9jZogZz0sFxzcPAzim0\/TD+aEJKEn3h1ZCM0dvkLQLeFEGKVhxypzfJLDO0hydYwloEETx3qJaVHzqs8Wq+SgnnsMzDPiMy\/H9mXbpWFOmZUY8c+RgPNNwEPY9sWGgREkghLZgVI4BmbR+1He8AIC\/Jqb6\/fZGK9Su8InqtBz4VDwmCvVjB5VmwRYgEff9Co9KEAKioF+rxsp7jx4CUT\/dUpBgwtPw1AAqwXhQ\/uIBWqnOLtB+sJapVDGqCd6YbeW67lUJtDoMU8VaKm8fednX12fDvla7u1M+CXOyIf\/4rq46zKsHemwKXMSG27KxCoqvfpu2RFyDoNiwIkywHe+mu0KXU6r0uKXXuXHjcqE1XT+Ol42P4hE1aTwsVJT\/aLRIVQDwKL6IhfLinh4zf9x0O\/I\/C1GeMvABe16jJTVzGkcz49endJCMetsRgtWR7oSOwEn5bVIocg8jZsCjdrwEvd6kjZWMsRgHhtbLq+aU27mgxUfacXWiiGTsT33DZFYnj2Gbfgh1MUmZNuxbwGQK74YsSlD8+37pnUDCdBxPu+Gf64VQKHxJ9RtZ7tBvjcOGhEiQQM2Bqm9+kC5dGL6whXOTdBD0aHE3e3jNhysBJXeznMxXLuH5BpQBNhY+pGCD36HH\/gl2POk5EvjD5emciTPfEvMoX\/pO1twUedLTeXtt4V8bNumuTzdRWus9vZCGnaJKWYY+IluLtxDKaBHhULnRKPZr7a3fqY4eZZWnvSv+6SyQfi\/guF4IkYLhqf3LM1QbKUpuoYVTCXDg\/iejAGelMIOMZk\/34eSGVjsk9H4ZDrbf+Wviyu10e\/3LGX4vZqXdNId0qCEAQQsb5bj67rIpqEUfO1gjj68uRkOWA5pTXz1Cw5OGMJDODQJgEJUgUxpgbiqUn1yGaEKOOaiaN2Vv5\/u+w6mqQni+gBiA0+4K0zEMbn8XRxSib6SxlyLQVFPK3+8NFm9X2am1AtSH1\/PoCM1+A0L4I8UddMiaV4KJVbD4gIsbkZTEL2rNpB7+3TEPLkz\/oWqgDlYpiSJoug71nGWFcD+HEERUlO5Z93B7c4XWme9gT2XSraJ9EGS47MTy8E5gSuzHgT06aAD1VDe0EzdVIhzO6QfLKRVyqK\/DkDAcF1dU\/CysJQuLXO26HE1qiZstmUL\/PmaIF1CAre3aq1TiBtKi47RcAusmfTZViQ5pBnP52RilqIkeFHO7qJ+Xe7UbBid1eckGMDShESIKSMkg323ewkUsCQrdbbCQCNxMP\/vovWIiozrHVfadoXMR1+s3vDeGvdijxN0cQlXKhRXEHz1q9AFZPP6OvHtyaigQOx7Av7+CCavPWtRnhVyR2jLsjvU\/P8W5IFa8Qs0a8CJRQpkCWniRyCA3gsdHuiU5LPzN9N6ilFVKYWl8zCdx1E0DuWVnebVHPp\/mSPBcwJb6Kn0mZE5F6Slv4ios+F0zFBa\/+ONDhj8YI3D0pzybuWoGGURZpxxZvXyeMYFUqAzWQpmxOYCpDyYaRzpVXybXDJxWUfNGwmd6Ve5t6JHTxK332fJRagMHTraU5uEpzRuAnBCqVX\/orlzGUbI38lDmfktCRZhIZ0TA4WOuMezAS\/U5UeZ\/Ky36Btzeqc\/GtSNTwfx5pintfeIcHnEiV69AT2a7sR3PISNs\/w0efL492At330L6CabtPqbX+3L9tP+74e7pNSOxbl7oi\/mRnKkb9k8n2BH6yIJJt5VxxH74+2OAUxERThSHVZlYSiPBPktL4R30L859p0z2Uz6qmrKoN1is1fQXX8xGHOr7PkuLtDJqwFDVFJJ9YkA7Dx2pq++TaR\/9pl4AeqnylRZtWT3EJRF\/MYY3nnisHit78gzVET6d1BuDKtwoAyw4mKyfoqWDMp6JOacbgYmXKL3bRC0doX8dbGOchwnFREadeVLCi\/Q5"} 02275{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1656652731631188,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1358,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":1358,"pkt_l4_len":1320,"thread_ts_usec":1656652731631188,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAFPM7xQAA3Bt\/lQTFEGQqEABfDhZQKC2OXGUpUkTKAEAFmw0YAAAEBCAom3sgTA1a0\/SxS3iaqHGBX0a8rgr8EFwZv7fbGR3LsZjVMCYTlteWImHMg7dpDQx6QAkVSKrBDRWsAgkFKUO9XRHQzEdcVJv+Jk6+iQYy27OR2Ruv0q0NyJCK8q8neLYQxD7xGx95YziHhCPmx+v2VJKWqXvo5pekBzrhigp\/0TmX3aYQplVTgwksBVP1wSVYSvnxpw4x3MGHY6EK1PhkChr6I2QaCOOskNMVQXjje52Gr0TD6cnIJniT0zvgTXSdGXH4d1pNmH6VI38eKJmR97TCaHW4VbObiULCNV965z+H0nCojIGmrzSNlYRkWatbld8Zbak+Ve9Ye2qFSUfesBybrU8MPKChWDS4szas\/0\/+O+hp7fTEBfmCOnTwpeZ+9ckDlu30IjD3klrlcZcGx59JJ23VaL3mRHXN2m7OYXYqgEUyKkpkk87MSdGKaT3iv+xeB8fdAD0S5iESPxvCatNGVxlnPWQC6LE2Mwk\/UPzo8wmxmWU\/4g2SzkG6fIhc2KfKoBTSS\/18XObBYhTCKn8tmchtQQnCFEhJwUqNPVQHAM7VWv97\/MrpK1Gg3ow57h3u6bsT3zD+7JqhTzfzSb+JLf+gPPuPmKrDBND362h9HtUe4u54hmK0emiAYbKHemgqk5ObUECg98wBR8GbmhEjkgqd5l9MpJjXEnZd7YjYb9HqCPVuTVofELhtwiquLU41YKvkqj9qHY3i83C4I5rsGWBIQz9jCnG\/LAO0gc+K5MhM0jD8w9afyXqZxxIWbvFCzYdvaAxFsd+dbs6QyAzMjBlRwZZJGoKCRudoGu78iGcHZ9v4JjFh8PqFI5RKE50MXupgqZhn5s+mncV4ED4BR62InyQMO+2lSV8XApXho3jZD2BZYaHL8BxzViM2AnSYU40nV5P\/9Zcawh1bVQjVPNsaeHWxMJc5P+uhgQ7yN5cDddbbbFops91CwGboz\/Y\/iUMqNL+Au752094lP9CLdBHTtF0nwGndsTr7PXV2am5lVFY+07I13Rnwh96VlnzAEErq6QUJMFpXVjoILKF75mfhkzufc5ww1btEyyIToFedBu8inrM2nSfVR4GSH1acVyxGJN\/xPMqMoz7qX11hSlDnDNA70XCXcPknSvGQJeC42YvRZuyBXR4bSZJpW3uxAIMisVpx8HuvqUlRDvWeTkl\/KlLkLPqVG6A7V9IJ4CzPp2LGxX0mxIii\/hq8qrdBvVjXBSMG2kFGd1Gk2CYKUDdUedzWwHbeA+x19\/Z8W9DscgX5Ingwo9qBoCIrSYVEyo5A+Bu6P2A6MYai8bIL3N1ixp0uHekzl1S5Y5ONHOtGVOFVnwRx49hvB6HPO9wc0rIJSIsq9YnBJNWgIZNFkCjlBnZHso+vfBKU6hgL+4B1v8gJk8\/+OinGcG00MXqyjoV0hIPvX8fcu6dH9TclFMmJS42m7WMCCPvMCk17qoAwiC5hrfwamrAiYI\/PEcMUUmJwNoLE7aKVZ7926CN5wXkVGlgQDYNSoxPqXoHqtbU6arZQtfgfxuD27lKKUbZm7keaLAlr7T5d0Wedi07GEwl0yp+Np4OWX5kU2Sgn3juSmnKnaCzCcLk2W4PsHrD6xcXA4Ni176mRo2kV4lUcSZ9ReNwImdlBbdKoXwKkzjV8Aa0hRPMOK2kTBCfB1GhE91TGa9BbzjtvK4JbGfzJcCXKDHd6qGUGMR+lTKBl2gIfVx9fr7SRFiR3Ky\/s="} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731961797,"flow_dst_last_pkt_time":1656652731903862,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1280,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":41208,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731961797,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":70056552.0,"flow_max":2241163750,"flow_stddev":389942336.0,"c_to_s_min":4,"c_to_s_avg":101887080.0,"c_to_s_max":2241163750,"c_to_s_stddev":466828416.0,"s_to_c_min":2,"s_to_c_avg":29401.6,"s_to_c_max":141836,"s_to_c_stddev":42418.8},"pktlen": {"c_to_s_min":1350,"c_to_s_avg":1943.1,"c_to_s_max":2646,"c_to_s_stddev":641.7,"s_to_c_min":98,"s_to_c_avg":98.0,"s_to_c_max":98,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731961797,"flow_dst_last_pkt_time":1656652731903862,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1280,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":41208,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731961797,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":20837.6,"flow_max":150485,"flow_stddev":35657.5,"c_to_s_min":4,"c_to_s_avg":16759.6,"c_to_s_max":150485,"c_to_s_stddev":31121.1,"s_to_c_min":2,"s_to_c_avg":29401.6,"s_to_c_max":141836,"s_to_c_stddev":42418.8},"pktlen": {"c_to_s_min":1350,"c_to_s_avg":1943.1,"c_to_s_max":2646,"c_to_s_stddev":641.7,"s_to_c_min":98,"s_to_c_avg":98.0,"s_to_c_max":98,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2962,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778161151,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652778161151,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2962,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778161151,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652778161151,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAAPJe\/QAA\/BhQYCoQAF0ExRBmU6MOFszN1DQAAAACgAv\/\/UcYAAAIEBVAEAggKA1bisgAAAAABAwMI"} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2970,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652778372319,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAAPAAAQAA3BrPXQTFEGQqEABfDhZTovxOnA7MzdQ6gEnEg1IYAAAIEBYwEAggKJt9+2gNW4rIBAwMJ"} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2974,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1656652778421535,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1656652778421535,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAANJfAQAA\/BhQfCoQAF0ExRBmU6MOFszN1Dr8TpwSAEAFXcrgAAAEBCAoDVuLwJt9+2g=="} 01331{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2975,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778421539,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652778421539,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2977,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778421539,"flow_dst_last_pkt_time":1656652778641896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1288,"midstream":0,"thread_ts_usec":1656652778641896,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01573{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3003,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652779042511,"flow_dst_last_pkt_time":1656652779222772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":5006,"flow_dst_tot_l4_payload_len":4491,"midstream":0,"thread_ts_usec":1656652779222772,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":61343.7,"flow_max":270784,"flow_stddev":98202.0,"c_to_s_min":4,"c_to_s_avg":60091.7,"c_to_s_max":260384,"c_to_s_stddev":95923.3,"s_to_c_min":2,"s_to_c_avg":62448.3,"s_to_c_max":270784,"s_to_c_stddev":100156.6},"pktlen": {"c_to_s_min":70,"c_to_s_avg":404.3,"c_to_s_max":1418,"c_to_s_stddev":430.6,"s_to_c_min":70,"s_to_c_avg":334.6,"s_to_c_max":1358,"s_to_c_stddev":463.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01573{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3003,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652779042511,"flow_dst_last_pkt_time":1656652779222772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":5006,"flow_dst_tot_l4_payload_len":4491,"midstream":0,"thread_ts_usec":1656652779222772,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":62676.8,"flow_max":270784,"flow_stddev":99488.0,"c_to_s_min":4,"c_to_s_avg":62954.3,"c_to_s_max":260384,"c_to_s_stddev":98669.2,"s_to_c_min":2,"s_to_c_avg":62448.3,"s_to_c_max":270784,"s_to_c_stddev":100156.6},"pktlen": {"c_to_s_min":70,"c_to_s_avg":404.3,"c_to_s_max":1418,"c_to_s_stddev":430.6,"s_to_c_min":70,"s_to_c_avg":334.6,"s_to_c_max":1358,"s_to_c_stddev":463.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7468,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831434184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652831434184,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7468,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831434184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652831434184,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAAPDStQAA\/BncqCoQAF0ExRBmVCMOFn9EiagAAAACgAv\/\/g5YAAAIEBVAEAggKA1cWxwAAAAABAwMI"} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7491,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652831643678,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAAPAAAQAA3BrPXQTFEGQqEABfDhZUIPEwzlZ\/RImugEnEgLEwAAAIEBYwEAggKJuBPGgNXFscBAwMJ"} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7496,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1656652831673898,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1656652831673898,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAANDSuQAA\/BncxCoQAF0ExRBmVCMOFn9EiazxMM5aAEAFXyn8AAAEBCAoDVxcDJuBPGg=="} 01331{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7499,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831673908,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652831673908,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7502,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831673908,"flow_dst_last_pkt_time":1656652831894735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1288,"midstream":0,"thread_ts_usec":1656652831894735,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01573{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7528,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652832235258,"flow_dst_last_pkt_time":1656652832454997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":4808,"flow_dst_tot_l4_payload_len":5851,"midstream":0,"thread_ts_usec":1656652832454997,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":60711.5,"flow_max":269120,"flow_stddev":99846.4,"c_to_s_min":2,"c_to_s_avg":57622.1,"c_to_s_max":260675,"c_to_s_stddev":94063.3,"s_to_c_min":2,"s_to_c_avg":63800.8,"s_to_c_max":269120,"s_to_c_stddev":105221.8},"pktlen": {"c_to_s_min":70,"c_to_s_avg":371.0,"c_to_s_max":1418,"c_to_s_stddev":429.7,"s_to_c_min":70,"s_to_c_avg":436.2,"s_to_c_max":1358,"s_to_c_stddev":523.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7528,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652832235258,"flow_dst_last_pkt_time":1656652832454997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":4808,"flow_dst_tot_l4_payload_len":5851,"midstream":0,"thread_ts_usec":1656652832454997,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":58770.5,"flow_max":269120,"flow_stddev":100848.2,"c_to_s_min":2,"c_to_s_avg":53404.9,"c_to_s_max":260675,"c_to_s_stddev":95672.4,"s_to_c_min":2,"s_to_c_avg":63800.8,"s_to_c_max":269120,"s_to_c_stddev":105221.8},"pktlen": {"c_to_s_min":70,"c_to_s_avg":371.0,"c_to_s_max":1418,"c_to_s_stddev":429.7,"s_to_c_min":70,"s_to_c_avg":436.2,"s_to_c_max":1358,"s_to_c_stddev":523.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00923{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1802,"flow_dst_packets_processed":1169,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652778352349,"flow_dst_last_pkt_time":1656652778381476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":1802,"flow_src_tot_l4_payload_len":2740999,"flow_dst_tot_l4_payload_len":23869,"midstream":1,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01154{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1826,"flow_dst_packets_processed":2699,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652831683725,"flow_dst_last_pkt_time":1656652831663695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1505,"flow_dst_max_l4_payload_len":2576,"flow_src_tot_l4_payload_len":76106,"flow_dst_tot_l4_payload_len":4310303,"midstream":0,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01151{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":304,"flow_dst_packets_processed":342,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652839654386,"flow_dst_last_pkt_time":1656652839634354,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1391,"flow_dst_max_l4_payload_len":2576,"flow_src_tot_l4_payload_len":56893,"flow_dst_tot_l4_payload_len":279549,"midstream":0,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} diff --git a/test/results/viber.pcap.out b/test/results/viber.pcap.out index 74e164837..f1b3e0a12 100644 --- a/test/results/viber.pcap.out +++ b/test/results/viber.pcap.out @@ -56,7 +56,7 @@ 01053{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641865014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155641868230,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01113{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":89,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890520,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155641890520,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01495{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890790,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1527155641890790,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}} -01190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":9587.9,"flow_max":47784,"flow_stddev":15044.7,"c_to_s_min":44,"c_to_s_avg":12180.4,"c_to_s_max":41188,"c_to_s_stddev":15288.8,"s_to_c_min":19,"s_to_c_avg":7571.4,"s_to_c_max":47784,"s_to_c_stddev":14535.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":139.2,"c_to_s_max":774,"c_to_s_stddev":184.3,"s_to_c_min":66,"s_to_c_avg":1186.1,"s_to_c_max":1514,"s_to_c_stddev":547.9}}} +01190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":19,"flow_avg":8869.6,"flow_max":47784,"flow_stddev":14735.4,"c_to_s_min":44,"c_to_s_avg":10667.0,"c_to_s_max":41188,"c_to_s_stddev":14821.0,"s_to_c_min":19,"s_to_c_avg":7571.4,"s_to_c_max":47784,"s_to_c_stddev":14535.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":139.2,"c_to_s_max":774,"c_to_s_stddev":184.3,"s_to_c_min":66,"s_to_c_avg":1186.1,"s_to_c_max":1514,"s_to_c_stddev":547.9}}} 01500{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155644240774,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155644240774,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1527155644240774,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0lAAEARXnTAqAARrNkXaqQJAbsAHwH3DO5PoOHayJNED10MJ0pTvsIOJQ7muOI="} @@ -93,7 +93,7 @@ 01039{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"viber.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155648513495,"flow_src_last_pkt_time":1527155648533128,"flow_dst_last_pkt_time":1527155648523699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155648533128,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"151.101.1.130","src_port":55746,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"venetia.iad.appboy.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01053{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":217,"source":"viber.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155648513495,"flow_src_last_pkt_time":1527155648533128,"flow_dst_last_pkt_time":1527155648544884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155648544884,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"151.101.1.130","src_port":55746,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"venetia.iad.appboy.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"viber.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1527155666982912,"flow_dst_last_pkt_time":1527155646968117,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1527155666982912,"pkt":"AQBeAAD7MAdNo1+nCABFAABZIsxAAP8RtxLAqAAR4AAA+xTpFOkARSvGAAUAAAACAAAAAAAACV84MDU3NDFDOQRfc3ViC19nb29nbGVjYXN0BF90Y3AFbG9jYWwAAAwAAcAbAAwAAQ=="} -01217{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":97,"flow_avg":86465384.0,"flow_max":2706924536,"flow_stddev":470657024.0,"c_to_s_min":97,"c_to_s_avg":161118896.0,"c_to_s_max":2706924536,"c_to_s_stddev":636457536.0,"s_to_c_min":270,"s_to_c_avg":1858066.6,"s_to_c_max":10701681,"s_to_c_stddev":2926117.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":211.1,"c_to_s_max":596,"c_to_s_stddev":159.7,"s_to_c_min":66,"s_to_c_avg":92.9,"s_to_c_max":164,"s_to_c_stddev":39.0}}} +01206{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":97,"flow_avg":1934444.6,"flow_max":10701681,"flow_stddev":2902413.2,"c_to_s_min":97,"c_to_s_avg":2006048.9,"c_to_s_max":10563926,"c_to_s_stddev":2878172.5,"s_to_c_min":270,"s_to_c_avg":1858066.6,"s_to_c_max":10701681,"s_to_c_stddev":2926117.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":211.1,"c_to_s_max":596,"c_to_s_stddev":159.7,"s_to_c_min":66,"s_to_c_avg":92.9,"s_to_c_max":164,"s_to_c_stddev":39.0}}} 00874{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00875{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":260,"source":"viber.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155670632131,"flow_src_last_pkt_time":1527155670632131,"flow_dst_last_pkt_time":1527155670632131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155670632131,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":45424,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -116,7 +116,7 @@ 01059{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":276,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671237849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155671250450,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":278,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671423359,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155671423359,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 01595{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":281,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671423665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":4873,"midstream":0,"thread_ts_usec":1527155671423665,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","subjectDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}}} -01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":326,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155670640484,"flow_src_last_pkt_time":1527155675775126,"flow_dst_last_pkt_time":1527155675692683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2947,"flow_dst_tot_l4_payload_len":930,"midstream":0,"thread_ts_usec":1527155675775126,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":129,"flow_avg":318923.6,"flow_max":525007,"flow_stddev":213896.3,"c_to_s_min":129,"c_to_s_avg":303138.6,"c_to_s_max":524953,"c_to_s_stddev":217432.9,"s_to_c_min":15302,"s_to_c_avg":336813.3,"s_to_c_max":525007,"s_to_c_stddev":208375.5},"pktlen": {"c_to_s_min":62,"c_to_s_avg":215.4,"c_to_s_max":299,"c_to_s_stddev":113.3,"s_to_c_min":76,"s_to_c_avg":104.0,"s_to_c_max":118,"s_to_c_stddev":19.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01342{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":326,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155670640484,"flow_src_last_pkt_time":1527155675775126,"flow_dst_last_pkt_time":1527155675692683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2947,"flow_dst_tot_l4_payload_len":930,"midstream":0,"thread_ts_usec":1527155675775126,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":129,"flow_avg":328607.8,"flow_max":525007,"flow_stddev":210300.8,"c_to_s_min":129,"c_to_s_avg":320915.1,"c_to_s_max":524953,"c_to_s_stddev":211801.3,"s_to_c_min":15302,"s_to_c_avg":336813.3,"s_to_c_max":525007,"s_to_c_stddev":208375.5},"pktlen": {"c_to_s_min":62,"c_to_s_avg":215.4,"c_to_s_max":299,"c_to_s_stddev":113.3,"s_to_c_min":76,"s_to_c_avg":104.0,"s_to_c_max":118,"s_to_c_stddev":19.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155679410348,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679410348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155679410348,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":33744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679410348,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155679410348,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8V2ZAAEAGC9HAqAAREskEA4PQAbvgGt8vAAAAAKAC\/\/+jOgAAAgQFtAQCCAoAIYhJAAAAAAEDAwc="} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":358,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155679411371,"flow_dst_last_pkt_time":1527155679411371,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":257,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":257,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155679411371,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -130,7 +130,7 @@ 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":363,"source":"viber.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1527155679411435,"flow_dst_last_pkt_time":1527155679443387,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1527155679443387,"pkt":"MAdNo1+nAA6OMNv9CABFAAAwpnZAACsR0cESyQQDwKgAER8zlS4AHM86BbgaADUY9RiYZORHMkN8Xi6VAMg="} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":364,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679443640,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155679443640,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8AABAACsGeDcSyQQDwKgAEQG7g9B0pK754BrfMKASaN\/EGgAAAgQFtAQCCAoA5FGtACGISQEDAwc="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":365,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1527155679444692,"flow_dst_last_pkt_time":1527155679443640,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1527155679444692,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0V2dAAEAGC9jAqAAREskEA4PQAbvgGt8wdKSu+oAQAq1ZEAAAAQEICgAhiFIA5FGt"} -01337{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":396,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155683480847,"flow_dst_last_pkt_time":1527155683453495,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2479,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1527155683480847,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":257549.2,"flow_max":531417,"flow_stddev":242114.4,"c_to_s_min":49,"c_to_s_avg":221023.6,"c_to_s_max":531417,"c_to_s_stddev":238503.0,"s_to_c_min":217,"s_to_c_avg":310932.6,"s_to_c_max":531356,"s_to_c_stddev":237395.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":172.5,"c_to_s_max":299,"c_to_s_stddev":120.1,"s_to_c_min":76,"s_to_c_avg":101.8,"s_to_c_max":118,"s_to_c_stddev":20.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01337{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":396,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155683480847,"flow_dst_last_pkt_time":1527155683453495,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2479,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1527155683480847,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":49,"flow_avg":261664.5,"flow_max":531417,"flow_stddev":244884.4,"c_to_s_min":49,"c_to_s_avg":226082.0,"c_to_s_max":531417,"c_to_s_stddev":244044.5,"s_to_c_min":217,"s_to_c_avg":310932.6,"s_to_c_max":531356,"s_to_c_stddev":237395.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":172.5,"c_to_s_max":299,"c_to_s_stddev":120.1,"s_to_c_min":76,"s_to_c_avg":101.8,"s_to_c_max":118,"s_to_c_stddev":20.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155685529875,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155685529875,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155685529875,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8KqJAAEARjp7AqAARwKgAD8OxADUAKKNciEIBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} 00996{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155685529875,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155685529875,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} diff --git a/test/results/vnc.pcap.out b/test/results/vnc.pcap.out index 22e7fd47f..61449b100 100644 --- a/test/results/vnc.pcap.out +++ b/test/results/vnc.pcap.out @@ -5,13 +5,13 @@ 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1476111264364066,"flow_dst_last_pkt_time":1476111264364590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111264364590,"pkt":"xOodxQGGEP7tAkntCABFAAA0fFNAAIAGAADAqAJuX+0w0Br06Y8QfmeF6sUwZYASIABT+gAAAgQFtAEDAwgBAQQC"} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1476111264402886,"flow_dst_last_pkt_time":1476111264364590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1476111264402886,"pkt":"EP7tAkntxOodxQGGCABFAAAoXs5AAHQGVC5f7TDQwKgCbumPGvTqxTBlEH5nhlAQQTqDEwAAAAAAAAAA"} 01107{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111264453192,"flow_dst_last_pkt_time":1476111264414487,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":12,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":12,"midstream":0,"thread_ts_usec":1476111264453192,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111265262808,"flow_dst_last_pkt_time":1476111265262852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111265262852,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":125655320.0,"flow_max":4019172626,"flow_stddev":699296384.0,"c_to_s_min":1,"c_to_s_avg":236474784.0,"c_to_s_max":4019172626,"c_to_s_stddev":945674496.0,"s_to_c_min":35,"s_to_c_avg":59919.1,"s_to_c_max":310273,"s_to_c_stddev":88438.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":73.6,"c_to_s_max":89,"c_to_s_stddev":11.9,"s_to_c_min":54,"s_to_c_avg":67.1,"s_to_c_max":88,"s_to_c_stddev":12.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +01571{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111265262808,"flow_dst_last_pkt_time":1476111265262852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111265262852,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":57984.8,"flow_max":545295,"flow_stddev":113391.3,"c_to_s_min":1,"c_to_s_avg":56171.4,"c_to_s_max":545295,"c_to_s_stddev":132560.1,"s_to_c_min":35,"s_to_c_avg":59919.1,"s_to_c_max":310273,"s_to_c_stddev":88438.9},"pktlen": {"c_to_s_min":60,"c_to_s_avg":73.6,"c_to_s_max":89,"c_to_s_stddev":11.9,"s_to_c_min":54,"s_to_c_avg":67.1,"s_to_c_max":88,"s_to_c_stddev":12.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3544,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1476111286462067,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3544,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111286462067,"pkt":"EP7tAkntxOodxQGGCABFAAA0be5AAHQGRQJf7TDQwKgCbslnGvTjPDftAAAAAIACIAD7xAAAAgQFrAEDAwIBAQQC"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3545,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462174,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111286462174,"pkt":"xOodxQGGEP7tAkntCABFAAA0AmNAAIAGAADAqAJuX+0w0Br0yWdPW3mt4zw37oASIABT+gAAAgQFtAEDAwgBAQQC"} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3546,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1476111286499568,"flow_dst_last_pkt_time":1476111286462174,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1476111286499568,"pkt":"EP7tAkntxOodxQGGCABFAAAobe9AAHQGRQ1f7TDQwKgCbslnGvTjPDfuT1t5rlAQQTpSNgAAAAAAAAAA"} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3548,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111286549120,"flow_dst_last_pkt_time":1476111286510841,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":12,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":12,"midstream":0,"thread_ts_usec":1476111286549120,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3575,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111287358990,"flow_dst_last_pkt_time":1476111287224950,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111287358990,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":237842.0,"flow_max":5951139,"flow_stddev":1033495.4,"c_to_s_min":2,"c_to_s_avg":380447.9,"c_to_s_max":5951139,"c_to_s_stddev":1356499.5,"s_to_c_min":46,"s_to_c_avg":54491.6,"s_to_c_max":501772,"s_to_c_stddev":125719.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":72.9,"c_to_s_max":89,"c_to_s_stddev":12.0,"s_to_c_min":54,"s_to_c_avg":68.1,"s_to_c_max":88,"s_to_c_stddev":12.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3575,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111287358990,"flow_dst_last_pkt_time":1476111287224950,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111287358990,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":53542.1,"flow_max":538844,"flow_stddev":125065.9,"c_to_s_min":2,"c_to_s_avg":52760.2,"c_to_s_max":538844,"c_to_s_stddev":124519.5,"s_to_c_min":46,"s_to_c_avg":54491.6,"s_to_c_max":501772,"s_to_c_stddev":125719.7},"pktlen": {"c_to_s_min":60,"c_to_s_avg":72.9,"c_to_s_max":89,"c_to_s_stddev":12.0,"s_to_c_min":54,"s_to_c_avg":68.1,"s_to_c_max":88,"s_to_c_stddev":12.8}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01157{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":684,"flow_dst_packets_processed":324,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111290613528,"flow_dst_last_pkt_time":1476111290394024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":17754,"flow_dst_tot_l4_payload_len":212,"midstream":0,"thread_ts_usec":1476111290613528,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01158{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2485,"flow_dst_packets_processed":1058,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111280884547,"flow_dst_last_pkt_time":1476111280846496,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":64000,"flow_dst_tot_l4_payload_len":300,"midstream":0,"thread_ts_usec":1476111290613528,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00562{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","packets-captured":4551,"packets-processed":4551,"total-skipped-flows":0,"total-l4-payload-len":82266,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1476111290613528} @@ -28,5 +28,5 @@ ~~ total allocations/frees...: 125999/125999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 474 chars -~~ json string max len.......: 1598 chars -~~ json string avg len.......: 1035 chars +~~ json string max len.......: 1579 chars +~~ json string avg len.......: 1025 chars diff --git a/test/results/vxlan.pcap.out b/test/results/vxlan.pcap.out index b845ac867..b73e4f0ae 100644 --- a/test/results/vxlan.pcap.out +++ b/test/results/vxlan.pcap.out @@ -41,8 +41,8 @@ 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1639650443097770,"flow_src_last_pkt_time":1639650443097770,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":62,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":62,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":62,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443097770,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":60230,"dst_port":4789,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1639650443097913,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":108,"pkt_l4_len":70,"thread_ts_usec":1639650443097913,"pkt":"AAy9Bjp0AAy9Bjp1gQAABQgARQAAWgOJAABAEcmwwKgWBMCoFgXrRhK1AEbaoAgAAAAABFcAZnpQqv+aHuppKm\/PCABFCAAoAABAAEAGnqYKChQEnfDgI7CqAbtGa9YTAAAAAFAEAABE2gAA"} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1639650443097920,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":108,"pkt_l4_len":70,"thread_ts_usec":1639650443097920,"pkt":"AAy9Bjp0AAy9Bjp1gQAABQgARQAAWgOKAABAEcmvwKgWBMCoFgXrRhK1AEbaoAgAAAAABFcAZnpQqv+aHuppKm\/PCABFCAAoAABAAEAGnqYKChQEnfDgI7CqAbtGa9YUAAAAAFAEAABE2QAA"} -01313{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443255719,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35959,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443255719,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10,"flow_avg":11044.8,"flow_max":140558,"flow_stddev":30977.2,"c_to_s_min":10,"c_to_s_avg":11044.8,"c_to_s_max":140558,"c_to_s_stddev":30977.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":120,"c_to_s_avg":1169.7,"c_to_s_max":1500,"c_to_s_stddev":546.6,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":122,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442931548,"flow_src_last_pkt_time":1639650443264733,"flow_dst_last_pkt_time":1639650442931548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":392,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3106,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443264733,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":40646,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":11326.5,"flow_max":150839,"flow_stddev":29734.7,"c_to_s_min":4,"c_to_s_avg":11326.5,"c_to_s_max":150839,"c_to_s_stddev":29734.7,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":120,"c_to_s_avg":143.1,"c_to_s_max":438,"c_to_s_stddev":68.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01313{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443255719,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35959,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443255719,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":10,"flow_avg":10133.0,"flow_max":140558,"flow_stddev":31047.2,"c_to_s_min":10,"c_to_s_avg":10133.0,"c_to_s_max":140558,"c_to_s_stddev":31047.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":120,"c_to_s_avg":1169.7,"c_to_s_max":1500,"c_to_s_stddev":546.6,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":122,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442931548,"flow_src_last_pkt_time":1639650443264733,"flow_dst_last_pkt_time":1639650442931548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":392,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3106,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443264733,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":40646,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":10747.9,"flow_max":150839,"flow_stddev":30032.6,"c_to_s_min":4,"c_to_s_avg":10747.9,"c_to_s_max":150839,"c_to_s_stddev":30032.6,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":120,"c_to_s_avg":143.1,"c_to_s_max":438,"c_to_s_stddev":68.2,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1639650442864784,"flow_src_last_pkt_time":1639650442864881,"flow_dst_last_pkt_time":1639650442864784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":84,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":84,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":60351,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00903{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1639650442902284,"flow_src_last_pkt_time":1639650442930989,"flow_dst_last_pkt_time":1639650442902284,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":141,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":270,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":50251,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":56,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443276182,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68647,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} diff --git a/test/results/wa_video.pcap.out b/test/results/wa_video.pcap.out index b0f86d11c..5165468b3 100644 --- a/test/results/wa_video.pcap.out +++ b/test/results/wa_video.pcap.out @@ -35,10 +35,10 @@ 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455770313920,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":137,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":137,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455770313920,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"thread_ts_usec":1561455770313920,"pkt":"AQBef\/\/6kLkxKPrKCABFAAClcA8AAAIRlYrAqAIM7\/\/\/+shNB2wAkeqFTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} 00901{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455770313920,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":137,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":137,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455770313920,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}} -01220{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":104272816.0,"flow_max":3227009433,"flow_stddev":570131264.0,"c_to_s_min":9,"c_to_s_avg":170000128.0,"c_to_s_max":3227009433,"c_to_s_stddev":720544192.0,"s_to_c_min":2,"s_to_c_avg":204572.6,"s_to_c_max":1227815,"s_to_c_stddev":336138.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":153.6,"c_to_s_max":614,"c_to_s_stddev":130.8,"s_to_c_min":66,"s_to_c_avg":470.7,"s_to_c_max":1454,"s_to_c_stddev":438.0}}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":181593.4,"flow_max":2404473,"flow_stddev":480680.3,"c_to_s_min":9,"c_to_s_avg":166273.9,"c_to_s_max":2404473,"c_to_s_stddev":556036.2,"s_to_c_min":2,"s_to_c_avg":204572.6,"s_to_c_max":1227815,"s_to_c_stddev":336138.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":153.6,"c_to_s_max":614,"c_to_s_stddev":130.8,"s_to_c_min":66,"s_to_c_avg":470.7,"s_to_c_max":1454,"s_to_c_stddev":438.0}}} 00882{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00883{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1561455769789452,"flow_src_last_pkt_time":1561455770782169,"flow_dst_last_pkt_time":1561455770781798,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":8102,"flow_dst_tot_l4_payload_len":1614,"midstream":0,"thread_ts_usec":1561455770782169,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":53688,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":95,"flow_avg":62149.9,"flow_max":550126,"flow_stddev":133826.7,"c_to_s_min":95,"c_to_s_avg":43323.9,"c_to_s_max":548212,"c_to_s_stddev":115146.8,"s_to_c_min":1109,"s_to_c_avg":110260.7,"s_to_c_max":550126,"s_to_c_stddev":163017.4},"pktlen": {"c_to_s_min":48,"c_to_s_avg":394.3,"c_to_s_max":514,"c_to_s_stddev":183.5,"s_to_c_min":44,"s_to_c_avg":221.3,"s_to_c_max":514,"s_to_c_stddev":207.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1561455769789452,"flow_src_last_pkt_time":1561455770782169,"flow_dst_last_pkt_time":1561455770781798,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":8102,"flow_dst_tot_l4_payload_len":1614,"midstream":0,"thread_ts_usec":1561455770782169,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":53688,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":95,"flow_avg":64034.3,"flow_max":550126,"flow_stddev":135549.6,"c_to_s_min":95,"c_to_s_avg":45123.5,"c_to_s_max":548212,"c_to_s_stddev":117417.9,"s_to_c_min":1109,"s_to_c_avg":110260.7,"s_to_c_max":550126,"s_to_c_stddev":163017.4},"pktlen": {"c_to_s_min":48,"c_to_s_avg":394.3,"c_to_s_max":514,"c_to_s_stddev":183.5,"s_to_c_min":44,"s_to_c_avg":221.3,"s_to_c_max":514,"s_to_c_stddev":207.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455772049243,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":300,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455772049243,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00911{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1561455772049243,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqwAAP8RG\/kAAAAA\/\/\/\/\/wBEAEMBNNtQAQEGAH5K8tcAMwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00956{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455772049243,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":300,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455772049243,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lucas-imac","dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}}} @@ -55,7 +55,7 @@ 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":434,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1561455782059394,"flow_dst_last_pkt_time":1561455781352254,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782059394,"pkt":"xiwDYGpkkLkxKPrKCABFAABI8PwAAEARMsXAqAIMW\/w4M9G4f4EANE0kAAEAGCESpEKAWzwjt5VRcfVmBmsACAAUJw9zjdQvQsjy5FQih0Itb6wHKg0="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":485,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1561455782574285,"flow_dst_last_pkt_time":1561455781247252,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782574285,"pkt":"xiwDYGpkkLkxKPrKCABFAABIwHEAAEARqAPAqAIMATxOQNG46GMANGXPAAEAGCESpEIoM9pd\/2PDbhKoL1oACAAUvqQBu1i76V7zg0ib1\/6QLghtUUY="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":497,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1561455782679175,"flow_dst_last_pkt_time":1561455781352254,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782679175,"pkt":"xiwDYGpkkLkxKPrKCABFAABINRkAAEAR7qjAqAIMW\/w4M9G4f4EANKRJAAEAGCESpEL4j9YAEpPJGTu3VCAACAAUGXORRrB48FGvPcJutSVccHGlcxM="} -01497{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":623,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1561455781352254,"flow_src_last_pkt_time":1561455783672290,"flow_dst_last_pkt_time":1561455783683909,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1118,"flow_dst_max_l4_payload_len":182,"flow_src_tot_l4_payload_len":15240,"flow_dst_tot_l4_payload_len":615,"midstream":0,"thread_ts_usec":1561455783683909,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","src_port":53688,"dst_port":32641,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":139,"flow_avg":146129.4,"flow_max":1979427,"flow_stddev":377821.8,"c_to_s_min":139,"c_to_s_avg":90172.5,"c_to_s_max":707140,"c_to_s_stddev":204225.0,"s_to_c_min":26140,"s_to_c_avg":388609.2,"s_to_c_max":1979427,"s_to_c_stddev":712902.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":628.2,"c_to_s_max":1160,"c_to_s_stddev":430.5,"s_to_c_min":86,"s_to_c_avg":144.5,"s_to_c_max":224,"s_to_c_stddev":48.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01497{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":623,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1561455781352254,"flow_src_last_pkt_time":1561455783672290,"flow_dst_last_pkt_time":1561455783683909,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1118,"flow_dst_max_l4_payload_len":182,"flow_src_tot_l4_payload_len":15240,"flow_dst_tot_l4_payload_len":615,"midstream":0,"thread_ts_usec":1561455783683909,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","src_port":53688,"dst_port":32641,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":139,"flow_avg":150054.5,"flow_max":1979427,"flow_stddev":383224.6,"c_to_s_min":139,"c_to_s_avg":92801.4,"c_to_s_max":707140,"c_to_s_stddev":207837.6,"s_to_c_min":26140,"s_to_c_avg":388609.2,"s_to_c_max":1979427,"s_to_c_stddev":712902.9},"pktlen": {"c_to_s_min":86,"c_to_s_avg":628.2,"c_to_s_max":1160,"c_to_s_stddev":430.5,"s_to_c_min":86,"s_to_c_avg":144.5,"s_to_c_max":224,"s_to_c_stddev":48.3}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455791449110,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455791449110,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00963{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455791449110,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxMkoAAEARwOHAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455791449110,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455791449110,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} diff --git a/test/results/wa_voice.pcap.out b/test/results/wa_voice.pcap.out index 2c4d1879c..f2893c5b8 100644 --- a/test/results/wa_voice.pcap.out +++ b/test/results/wa_voice.pcap.out @@ -23,7 +23,7 @@ 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1561455688704143,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1561455688744885,"pkt":"kLkxKPrKxiwDYGpkCABFAAA8AAAAAFMG8uKd8BQ1wKgCDBRmwMsu6BkVm9EK2qASbHAbGAAAAgQFeAQCCAoefUIDNM3yoAEDAwg="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1561455688841176,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455688841176,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGxerAqAIMnfAUNcDLFGab0QraLugZFoAQCAytcgAAAQEICjTN8zsefUID"} 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689011542,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":256,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":256,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689011542,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689377891,"flow_dst_last_pkt_time":1561455689390636,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":286,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":6993,"midstream":0,"thread_ts_usec":1561455689390636,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":58185.3,"flow_max":501689,"flow_stddev":109538.8,"c_to_s_min":5,"c_to_s_avg":69143.4,"c_to_s_max":501689,"c_to_s_stddev":128302.7,"s_to_c_min":1,"s_to_c_avg":45766.2,"s_to_c_max":304081,"s_to_c_stddev":81550.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":112.4,"c_to_s_max":352,"c_to_s_stddev":85.0,"s_to_c_min":66,"s_to_c_avg":532.7,"s_to_c_max":1454,"s_to_c_stddev":603.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01336{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689377891,"flow_dst_last_pkt_time":1561455689390636,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":286,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":6993,"midstream":0,"thread_ts_usec":1561455689390636,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":43878.7,"flow_max":304081,"flow_stddev":76394.5,"c_to_s_min":5,"c_to_s_avg":42109.2,"c_to_s_max":210132,"c_to_s_stddev":71176.7,"s_to_c_min":1,"s_to_c_avg":45766.2,"s_to_c_max":304081,"s_to_c_stddev":81550.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":112.4,"c_to_s_max":352,"c_to_s_stddev":85.0,"s_to_c_min":66,"s_to_c_avg":532.7,"s_to_c_max":1454,"s_to_c_stddev":603.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455689728258,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689728258,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":55296,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1561455689728258,"pkt":"xiwDYGpkkLkxKPrKCABFAABL058AAP8RYqTAqAIMwKgCAdgAADUAN5FDM2kBAAABAAAAAAAADG1lZGlhLW14cDEtMQNjZG4Id2hhdHNhcHADbmV0AAABAAE="} 01023{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455689728258,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689728258,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":55296,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.WhatsAppFiles","proto_id":"5.242","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -35,7 +35,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1561455690036803,"flow_dst_last_pkt_time":1561455689928899,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455690036803,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGAtDAqAIMHw1WM8VHAbtOnG1l7gMI\/YAQBAZZdQAAAQEICjTOBV2HqaVz"} 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":67,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690039586,"flow_dst_last_pkt_time":1561455689928899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455690039586,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"b92a79ed03c3ff5611abb2305370d3e3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690039586,"flow_dst_last_pkt_time":1561455690058075,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1561455690058075,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","tls": {"version":"TLSv1.3","ja3":"b92a79ed03c3ff5611abb2305370d3e3","ja3s":"475c9302dc42b2751db9edcac3b74891","unsafe_cipher":0,"cipher":"TLS_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690224696,"flow_dst_last_pkt_time":1561455690224643,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1331,"flow_dst_tot_l4_payload_len":7979,"midstream":0,"thread_ts_usec":1561455690224696,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":25068.8,"flow_max":163286,"flow_stddev":51745.6,"c_to_s_min":5,"c_to_s_avg":27155.3,"c_to_s_max":146094,"c_to_s_stddev":52550.0,"s_to_c_min":1,"s_to_c_avg":22535.2,"s_to_c_max":163286,"s_to_c_stddev":50636.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":145.0,"c_to_s_max":583,"c_to_s_stddev":143.8,"s_to_c_min":66,"s_to_c_avg":598.5,"s_to_c_max":1454,"s_to_c_stddev":615.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} +01351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690224696,"flow_dst_last_pkt_time":1561455690224643,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1331,"flow_dst_tot_l4_payload_len":7979,"midstream":0,"thread_ts_usec":1561455690224696,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":21034.6,"flow_max":163286,"flow_stddev":47564.2,"c_to_s_min":5,"c_to_s_avg":19721.6,"c_to_s_max":145211,"c_to_s_stddev":44661.9,"s_to_c_min":1,"s_to_c_avg":22535.2,"s_to_c_max":163286,"s_to_c_stddev":50636.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":145.0,"c_to_s_max":583,"c_to_s_stddev":143.8,"s_to_c_min":66,"s_to_c_avg":598.5,"s_to_c_max":1454,"s_to_c_stddev":615.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455701309996,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455701309996,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455701309996,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxXcMAAEARlWjAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="} 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455701309996,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455701309996,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -98,7 +98,7 @@ 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":250,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1561455707513528,"flow_dst_last_pkt_time":1561455707511792,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455707513528,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGxevAqAIMnfAUNMVIAbt68MpOu7CnhYAQBAb72QAAAQEICjTOSZq1oF6C"} 01152{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":251,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707524675,"flow_dst_last_pkt_time":1561455707511792,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455707524675,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"pps.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"7a7a639628f0fe5c7e057628a5bbec5a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":253,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707524675,"flow_dst_last_pkt_time":1561455707564246,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1561455707564246,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"pps.whatsapp.net","tls": {"version":"TLSv1.3","ja3":"7a7a639628f0fe5c7e057628a5bbec5a","ja3s":"475c9302dc42b2751db9edcac3b74891","unsafe_cipher":0,"cipher":"TLS_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":293,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707778028,"flow_dst_last_pkt_time":1561455707778471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":928,"flow_dst_tot_l4_payload_len":9370,"midstream":0,"thread_ts_usec":1561455707778471,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":20195.1,"flow_max":129132,"flow_stddev":30517.6,"c_to_s_min":136,"c_to_s_avg":21395.6,"c_to_s_max":129132,"c_to_s_stddev":32393.2,"s_to_c_min":5,"s_to_c_avg":18994.6,"s_to_c_max":77447,"s_to_c_stddev":28468.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":124.8,"c_to_s_max":583,"c_to_s_stddev":127.3,"s_to_c_min":66,"s_to_c_avg":652.1,"s_to_c_max":1454,"s_to_c_stddev":631.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01346{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":293,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707778028,"flow_dst_last_pkt_time":1561455707778471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":928,"flow_dst_tot_l4_payload_len":9370,"midstream":0,"thread_ts_usec":1561455707778471,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":5,"flow_avg":19593.0,"flow_max":129132,"flow_stddev":30818.3,"c_to_s_min":136,"c_to_s_avg":20231.3,"c_to_s_max":129132,"c_to_s_stddev":33129.9,"s_to_c_min":5,"s_to_c_avg":18994.6,"s_to_c_max":77447,"s_to_c_stddev":28468.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":124.8,"c_to_s_max":583,"c_to_s_stddev":127.3,"s_to_c_min":66,"s_to_c_avg":652.1,"s_to_c_max":1454,"s_to_c_stddev":631.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":347,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1561455709888553,"flow_dst_last_pkt_time":1561455705874172,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1561455709888553,"pkt":"AQBeAAD7kLkxKPrKCABFAABNP9UAAP8R2BrAqAIM4AAA+xTpFOkAOUTGAAAAAAACAAAAAAAABV9yYW9wBF90Y3AFbG9jYWwAAAwAAQhfYWlycGxhecASAAwAAQ=="} 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1561455709890098,"flow_dst_last_pkt_time":1561455705874523,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":111,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":111,"pkt_l4_len":57,"thread_ts_usec":1561455709890098,"pkt":"MzMAAAD7kLkxKPrKht1gDagnADkR\/\/6AAAAAAAAABBRAnYr9nwX\/AgAAAAAAAAAAAAAAAAD7FOkU6QA5e0MAAAAAAAIAAAAAAAAFX3Jhb3AEX3RjcAVsb2NhbAAADAABCF9haXJwbGF5wBIADAAB"} 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_src_last_pkt_time":1561455709984212,"flow_dst_last_pkt_time":1561455706979952,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":174,"pkt_l4_len":140,"thread_ts_usec":1561455709984212,"pkt":"AQBef\/\/6kLkxKPrKCABFAACggMsAAAIRhNPAqAIM7\/\/\/+vzMB2wAjOY9TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpzZXJ2aWNlOldBTklQQ29ubmVjdGlvbjoxDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KTVg6IDMNCg0K"} @@ -114,14 +114,14 @@ 01099{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":465,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455730495456,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455730495456,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":473,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1561455731073692,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731073692,"pkt":"kLkxKPrKxiwDYGpkCABFAABIAlEAADERMHFb\/DgzwKgCDH\/A3AgANGApAAEAGCESpELobM0y9AHrYlN0+hgACAAU\/c20Lcr5wjE5JYKvJct9qbua6og="} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":477,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1561455731356183,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455731356183,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxjdoAAEARZVHAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="} -01363{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":487,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1561455706912375,"flow_src_last_pkt_time":1561455731523132,"flow_dst_last_pkt_time":1561455731536124,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":278,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":1833,"midstream":0,"thread_ts_usec":1561455731536124,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":56328,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":1539402.0,"flow_max":12196243,"flow_stddev":3014635.2,"c_to_s_min":58,"c_to_s_avg":2053093.0,"c_to_s_max":12194152,"c_to_s_stddev":3356058.0,"s_to_c_min":1,"s_to_c_avg":1231187.4,"s_to_c_max":12196243,"s_to_c_stddev":2744019.2},"pktlen": {"c_to_s_min":48,"c_to_s_avg":108.0,"c_to_s_max":168,"c_to_s_stddev":60.0,"s_to_c_min":44,"s_to_c_avg":133.6,"s_to_c_max":320,"s_to_c_stddev":98.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01363{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":487,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1561455706912375,"flow_src_last_pkt_time":1561455731523132,"flow_dst_last_pkt_time":1561455731536124,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":278,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":1833,"midstream":0,"thread_ts_usec":1561455731536124,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":56328,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":1588209.8,"flow_max":12196243,"flow_stddev":3050402.8,"c_to_s_min":58,"c_to_s_avg":2237341.5,"c_to_s_max":12194152,"c_to_s_stddev":3446690.5,"s_to_c_min":1,"s_to_c_avg":1231187.4,"s_to_c_max":12196243,"s_to_c_stddev":2744019.2},"pktlen": {"c_to_s_min":48,"c_to_s_avg":108.0,"c_to_s_max":168,"c_to_s_stddev":60.0,"s_to_c_min":44,"s_to_c_avg":133.6,"s_to_c_max":320,"s_to_c_stddev":98.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455731665769,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455731665769,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"1.60.78.64","src_port":56328,"dst_port":64282,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731665769,"pkt":"xiwDYGpkkLkxKPrKCABFAABId7IAAEAR8MLAqAIMATxOQNwI+xoANL93AAEAGCESpEJNNg9OA5IbZKhKGmoACAAUkUJIDnID0ka3i4LpQfhGRUa3K\/w="} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455731665769,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455731665769,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"1.60.78.64","src_port":56328,"dst_port":64282,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":503,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1561455731697327,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731697327,"pkt":"kLkxKPrKxiwDYGpkCABFAABI\/gUAADERNLxb\/DgzwKgCDH\/A3AgANISZAAEAGCESpEKSaahiiU3KFyQDpDgACAAUPvQQqrwwB3kMX1876e4ssz8N17Y="} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":518,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1561455732298035,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455732298035,"pkt":"xiwDYGpkkLkxKPrKCABFAABIre0AAEARuofAqAIMATxOQNwI+xoANHLOAAEAGCESpEIrgAUzrwTeBSrSSH8ACAAUv8Ev3sei+dcRfEZy9ei0mRui3Zw="} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":528,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1561455732919461,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455732919461,"pkt":"xiwDYGpkkLkxKPrKCABFAABIV+kAAEAREIzAqAIMATxOQNwI+xoANBvDAAEAGCESpELCs7YUVt8QVzF73yEACAAUMmINwHB46SKyj3xrODHnuD6GHSA="} -01492{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":538,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455733316995,"flow_dst_last_pkt_time":1561455733325980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":273,"flow_src_tot_l4_payload_len":1873,"flow_dst_tot_l4_payload_len":1869,"midstream":0,"thread_ts_usec":1561455733325980,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":239191.0,"flow_max":2002048,"flow_stddev":388591.4,"c_to_s_min":2,"c_to_s_avg":267977.1,"c_to_s_max":2002048,"c_to_s_stddev":452057.2,"s_to_c_min":2967,"s_to_c_avg":202180.3,"s_to_c_max":1203723,"s_to_c_stddev":282793.3},"pktlen": {"c_to_s_min":68,"c_to_s_avg":146.1,"c_to_s_max":213,"c_to_s_stddev":41.7,"s_to_c_min":86,"s_to_c_avg":175.5,"s_to_c_max":315,"s_to_c_stddev":58.1}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":538,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455733316995,"flow_dst_last_pkt_time":1561455733325980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":273,"flow_src_tot_l4_payload_len":1873,"flow_dst_tot_l4_payload_len":1869,"midstream":0,"thread_ts_usec":1561455733325980,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2,"flow_avg":182324.6,"flow_max":1203723,"flow_stddev":228895.9,"c_to_s_min":2,"c_to_s_avg":165972.9,"c_to_s_max":623635,"c_to_s_stddev":170556.0,"s_to_c_min":2967,"s_to_c_avg":202180.3,"s_to_c_max":1203723,"s_to_c_stddev":282793.3},"pktlen": {"c_to_s_min":68,"c_to_s_avg":146.1,"c_to_s_max":213,"c_to_s_stddev":41.7,"s_to_c_min":86,"s_to_c_avg":175.5,"s_to_c_max":315,"s_to_c_stddev":58.1}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00915{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":632,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1561455705874172,"flow_src_last_pkt_time":1561455737893179,"flow_dst_last_pkt_time":1561455705874172,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":138,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455737893179,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_homekit._tcp.local","mdns": {}}} 00924{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":633,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1561455705874523,"flow_src_last_pkt_time":1561455737895397,"flow_dst_last_pkt_time":1561455705874523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":138,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455737895397,"l3_proto":"ip6","src_ip":"fe80::414:409d:8afd:9f05","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_homekit._tcp.local","mdns": {}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":640,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455738163757,"flow_src_last_pkt_time":1561455738163757,"flow_dst_last_pkt_time":1561455738163757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1561455738163757,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"169.254.162.244","src_port":49352,"dst_port":49159,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/waze.pcap.out b/test/results/waze.pcap.out index 46de91374..170a3c46e 100644 --- a/test/results/waze.pcap.out +++ b/test/results/waze.pcap.out @@ -98,8 +98,8 @@ 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1435587872705148,"flow_dst_last_pkt_time":1435587872704043,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587872705148,"pkt":"ABoRAAACABoRAAABCABFAAAoY6pAAEAGsooKCAABNubjrLHyAFAC8Q5A\/Q7xwVAQ\/\/\/Y9AAA"} 01018{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1435587872702798,"flow_src_last_pkt_time":1435587872706282,"flow_dst_last_pkt_time":1435587872704043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587872706282,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Waze","proto_id":"7.135","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"cres.waze.com","http": {"url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}}} 01026{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":203,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1435587872702798,"flow_src_last_pkt_time":1435587872706862,"flow_dst_last_pkt_time":1435587872706630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587872706862,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Waze","proto_id":"7.135","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"cres.waze.com","http": {"url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}}} -01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2041,"flow_avg":339007.3,"flow_max":3680611,"flow_stddev":870757.6,"c_to_s_min":2041,"c_to_s_avg":348743.5,"c_to_s_max":3680611,"c_to_s_stddev":869573.4,"s_to_c_min":2610,"s_to_c_avg":329271.1,"s_to_c_max":3677989,"s_to_c_stddev":871831.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":71.7,"c_to_s_max":317,"c_to_s_stddev":63.5,"s_to_c_min":54,"s_to_c_avg":3861.8,"s_to_c_max":11833,"s_to_c_stddev":3452.0}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} -01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":169,"flow_avg":280431.3,"flow_max":1658841,"flow_stddev":499602.3,"c_to_s_min":169,"c_to_s_avg":280490.3,"c_to_s_max":1658841,"c_to_s_stddev":510186.8,"s_to_c_min":254,"s_to_c_avg":280372.4,"s_to_c_max":1601922,"s_to_c_stddev":488788.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":256.6,"c_to_s_max":590,"c_to_s_stddev":210.1,"s_to_c_min":54,"s_to_c_avg":878.9,"s_to_c_max":5515,"s_to_c_stddev":1729.8}}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":2041,"flow_avg":339878.5,"flow_max":3680611,"flow_stddev":884676.9,"c_to_s_min":2041,"c_to_s_avg":351193.0,"c_to_s_max":3680611,"c_to_s_stddev":898038.1,"s_to_c_min":2610,"s_to_c_avg":329271.1,"s_to_c_max":3677989,"s_to_c_stddev":871831.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":71.7,"c_to_s_max":317,"c_to_s_stddev":63.5,"s_to_c_min":54,"s_to_c_avg":3861.8,"s_to_c_max":11833,"s_to_c_stddev":3452.0}},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":169,"flow_avg":289408.8,"flow_max":1658841,"flow_stddev":505049.6,"c_to_s_min":169,"c_to_s_avg":299047.7,"c_to_s_max":1658841,"c_to_s_stddev":521663.9,"s_to_c_min":254,"s_to_c_avg":280372.4,"s_to_c_max":1601922,"s_to_c_stddev":488788.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":256.6,"c_to_s_max":590,"c_to_s_stddev":210.1,"s_to_c_min":54,"s_to_c_avg":878.9,"s_to_c_max":5515,"s_to_c_stddev":1729.8}}} 01659{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":247,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1435587871929480,"flow_src_last_pkt_time":1435587872139946,"flow_dst_last_pkt_time":1435587873486827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1435587873486827,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}} 01548{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1435587871935294,"flow_src_last_pkt_time":1435587872566264,"flow_dst_last_pkt_time":1435587873688799,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":2111,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":3479,"midstream":0,"thread_ts_usec":1435587873688799,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}}} @@ -168,10 +168,10 @@ 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":461,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589106,"pkt":"ABoRAAACABoRAAABCABFAAAoS15AAEAGGJgKCAAByKAEMew\/Abump6BqWVh1BVAR\/\/\/VjgAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":462,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589338,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589338,"pkt":"ABoRAAACABoRAAABCABFAAAodVJAABAGHqTIoAQxCggAAQG77D9ZWHUFpqega1AQ\/\/\/VjgAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":463,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589665,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589665,"pkt":"ABoRAAACABoRAAABCABFAAAodVNAABAGHqPIoAQxCggAAQG77D9ZWHUFpqega1AR\/\/\/VjQAA"} -01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":475,"flow_avg":175723.8,"flow_max":415925,"flow_stddev":136280.2,"c_to_s_min":490,"c_to_s_avg":186386.6,"c_to_s_max":387205,"c_to_s_stddev":139063.3,"s_to_c_min":475,"s_to_c_avg":165060.9,"s_to_c_max":415925,"s_to_c_stddev":132584.3},"pktlen": {"c_to_s_min":54,"c_to_s_avg":119.2,"c_to_s_max":590,"c_to_s_stddev":135.4,"s_to_c_min":54,"s_to_c_avg":3558.4,"s_to_c_max":21942,"s_to_c_stddev":6124.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01206{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":330,"flow_avg":188311.3,"flow_max":1449192,"flow_stddev":275864.6,"c_to_s_min":450,"c_to_s_avg":222218.7,"c_to_s_max":1449192,"c_to_s_stddev":350318.8,"s_to_c_min":330,"s_to_c_avg":149882.9,"s_to_c_max":475681,"s_to_c_stddev":143119.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":128.0,"c_to_s_max":590,"c_to_s_stddev":147.3,"s_to_c_min":54,"s_to_c_avg":2829.5,"s_to_c_max":11186,"s_to_c_stddev":3901.4}}} +01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":475,"flow_avg":170355.3,"flow_max":415925,"flow_stddev":135089.4,"c_to_s_min":490,"c_to_s_avg":176002.6,"c_to_s_max":387205,"c_to_s_stddev":137486.8,"s_to_c_min":475,"s_to_c_avg":165060.9,"s_to_c_max":415925,"s_to_c_stddev":132584.3},"pktlen": {"c_to_s_min":54,"c_to_s_avg":119.2,"c_to_s_max":590,"c_to_s_stddev":135.4,"s_to_c_min":54,"s_to_c_avg":3558.4,"s_to_c_max":21942,"s_to_c_stddev":6124.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01206{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":330,"flow_avg":191882.9,"flow_max":1449192,"flow_stddev":279549.5,"c_to_s_min":450,"c_to_s_avg":231257.9,"c_to_s_max":1449192,"c_to_s_stddev":359171.9,"s_to_c_min":330,"s_to_c_avg":149882.9,"s_to_c_max":475681,"s_to_c_stddev":143119.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":128.0,"c_to_s_max":590,"c_to_s_stddev":147.3,"s_to_c_min":54,"s_to_c_avg":2829.5,"s_to_c_max":11186,"s_to_c_stddev":3901.4}}} 01565{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}} -01688{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":413,"flow_avg":994342.1,"flow_max":5890947,"flow_stddev":1759865.9,"c_to_s_min":554,"c_to_s_avg":994372.6,"c_to_s_max":5838678,"c_to_s_stddev":1756023.0,"s_to_c_min":413,"s_to_c_avg":994311.6,"s_to_c_max":5890947,"s_to_c_stddev":1763700.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":155.2,"c_to_s_max":555,"c_to_s_stddev":147.9,"s_to_c_min":54,"s_to_c_avg":576.9,"s_to_c_max":3660,"s_to_c_stddev":980.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":413,"flow_avg":1026369.1,"flow_max":5890947,"flow_stddev":1778823.2,"c_to_s_min":554,"c_to_s_avg":1060563.6,"c_to_s_max":5838678,"c_to_s_stddev":1794182.6,"s_to_c_min":413,"s_to_c_avg":994311.6,"s_to_c_max":5890947,"s_to_c_stddev":1763700.4},"pktlen": {"c_to_s_min":54,"c_to_s_avg":155.2,"c_to_s_max":555,"c_to_s_stddev":147.9,"s_to_c_min":54,"s_to_c_avg":576.9,"s_to_c_max":3660,"s_to_c_stddev":980.1}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1435587894241434,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587894241434,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1435587894241434,"pkt":"ABoRAAACABoRAAABCABFAAA87+5AAEAGZNsKCAABLjOtto0mAbvDfJnqAAAAAKAC\/\/\/\/twAAAgQFtAQCCAoACHYEAAAAAAEDAwg="} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":533,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894244164,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587894244164,"pkt":"ABoRAAACABoRAAABCABFAAAodXFAABAGD20uM622CggAAQG7jSY8g2YVw3yZ61AS\/\/86\/gAA"} @@ -247,5 +247,5 @@ ~~ total allocations/frees...: 122510/122510 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 475 chars -~~ json string max len.......: 1693 chars -~~ json string avg len.......: 1084 chars +~~ json string max len.......: 1695 chars +~~ json string avg len.......: 1085 chars diff --git a/test/results/webex.pcap.out b/test/results/webex.pcap.out index cd187b5b8..0fea63f1a 100644 --- a/test/results/webex.pcap.out +++ b/test/results/webex.pcap.out @@ -6,7 +6,7 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1444570624860575,"flow_dst_last_pkt_time":1444570624860347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570624860575,"pkt":"ABoRAAACABoRAAABCABFAAAoOXRAAEAGTagKCAABQERpZ6GCAbtPGIcNsOd49FAQOQgf2QAA"} 01161{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570624860735,"flow_dst_last_pkt_time":1444570624860347,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570624860735,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01518{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570625418062,"flow_dst_last_pkt_time":1444570625424499,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570625424499,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} -01215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":160,"flow_avg":41500356.0,"flow_max":1324516929,"flow_stddev":230436640.0,"c_to_s_min":160,"c_to_s_avg":78015544.0,"c_to_s_max":1324516929,"c_to_s_stddev":311625376.0,"s_to_c_min":592,"s_to_c_avg":116477.2,"s_to_c_max":505708,"s_to_c_stddev":142354.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":227.8,"c_to_s_max":590,"c_to_s_stddev":214.2,"s_to_c_min":54,"s_to_c_avg":599.3,"s_to_c_max":2774,"s_to_c_stddev":783.9}}} +01197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":160,"flow_avg":112724.9,"flow_max":557327,"flow_stddev":156273.3,"c_to_s_min":160,"c_to_s_avg":109207.1,"c_to_s_max":557327,"c_to_s_stddev":168203.6,"s_to_c_min":592,"s_to_c_avg":116477.2,"s_to_c_max":505708,"s_to_c_stddev":142354.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":227.8,"c_to_s_max":590,"c_to_s_stddev":214.2,"s_to_c_min":54,"s_to_c_avg":599.3,"s_to_c_max":2774,"s_to_c_stddev":783.9}}} 01522{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} 00747{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570627404164,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570627404164,"pkt":"ABoRAAACABoRAAABCABFAAA8hnNAAEAGAJUKCAABQERpZ6GEAbuwMDkNAAAAAKACOQgO\/QAAAgQFtAQCCAoATL9+AAAAAAEDAwY="} @@ -26,7 +26,7 @@ 01162{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":89,"source":"webex.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570628117770,"flow_src_last_pkt_time":1444570628122668,"flow_dst_last_pkt_time":1444570628121468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570628122668,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41351,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01206{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"webex.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570628113579,"flow_src_last_pkt_time":1444570628121998,"flow_dst_last_pkt_time":1444570628514304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1444570628514304,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41350,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} 01208{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"webex.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570628117770,"flow_src_last_pkt_time":1444570628122668,"flow_dst_last_pkt_time":1444570628565912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":129,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":129,"midstream":0,"thread_ts_usec":1444570628565912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41351,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} -01489{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":129,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570629212279,"flow_dst_last_pkt_time":1444570629155254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":17966,"flow_src_tot_l4_payload_len":2270,"flow_dst_tot_l4_payload_len":46819,"midstream":0,"thread_ts_usec":1444570629212279,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":156,"flow_avg":112999.2,"flow_max":455330,"flow_stddev":124242.4,"c_to_s_min":156,"c_to_s_avg":116555.3,"c_to_s_max":455330,"c_to_s_stddev":130830.4,"s_to_c_min":302,"s_to_c_avg":109443.1,"s_to_c_max":404661,"s_to_c_stddev":117177.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":197.1,"c_to_s_max":590,"c_to_s_stddev":213.8,"s_to_c_min":54,"s_to_c_avg":2980.2,"s_to_c_max":18020,"s_to_c_stddev":4843.9}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01489{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":129,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570629212279,"flow_dst_last_pkt_time":1444570629155254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":17966,"flow_src_tot_l4_payload_len":2270,"flow_dst_tot_l4_payload_len":46819,"midstream":0,"thread_ts_usec":1444570629212279,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":156,"flow_avg":114813.1,"flow_max":455330,"flow_stddev":125812.7,"c_to_s_min":156,"c_to_s_avg":120541.0,"c_to_s_max":455330,"c_to_s_stddev":134177.3,"s_to_c_min":302,"s_to_c_avg":109443.1,"s_to_c_max":404661,"s_to_c_stddev":117177.1},"pktlen": {"c_to_s_min":54,"c_to_s_avg":197.1,"c_to_s_max":590,"c_to_s_stddev":213.8,"s_to_c_min":54,"s_to_c_avg":2980.2,"s_to_c_max":18020,"s_to_c_stddev":4843.9}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":167,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570630272557,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272557,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1444570630272557,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"185.63.147.10","src_port":54651,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272557,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1444570630272557,"pkt":"ABoRAAACABoRAAABCABFAAA0ymtAAEAGS1oKhc4vuT+TCtV7Abs2TX647AAfvYARAZp5QwAAAQEICgBMwJ1XHSbf"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":168,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272755,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570630272755,"pkt":"ABoRAAACABoRAAABCABFAAAoAWBAABAGRHK5P5MKCoXOLwG71XvsAB+9Nk1+uVAQ\/\/\/y2gAA"} @@ -53,7 +53,7 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1444570633360483,"flow_dst_last_pkt_time":1444570633360351,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570633360483,"pkt":"ABoRAAACABoRAAABCABFAAAo7DFAAEAGmuoKCAABQERpZ6GOAbtaKC3jpdfSHlAQOQgfzQAA"} 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":221,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570633362374,"flow_dst_last_pkt_time":1444570633360351,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570633362374,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01602{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570633810470,"flow_dst_last_pkt_time":1444570633811592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":2579,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570633811592,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} -01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570635772189,"flow_dst_last_pkt_time":1444570635721813,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":8847,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":33212,"midstream":0,"thread_ts_usec":1444570635772189,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":383,"flow_avg":168598.7,"flow_max":1031495,"flow_stddev":256197.2,"c_to_s_min":383,"c_to_s_avg":189415.2,"c_to_s_max":1031495,"c_to_s_stddev":274246.4,"s_to_c_min":975,"s_to_c_avg":147782.2,"s_to_c_max":979869,"s_to_c_stddev":234938.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":115.2,"c_to_s_max":590,"c_to_s_stddev":145.6,"s_to_c_min":54,"s_to_c_avg":2129.8,"s_to_c_max":8901,"s_to_c_stddev":2912.5}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570635772189,"flow_dst_last_pkt_time":1444570635721813,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":8847,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":33212,"midstream":0,"thread_ts_usec":1444570635772189,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":383,"flow_avg":154174.4,"flow_max":1031495,"flow_stddev":247176.8,"c_to_s_min":383,"c_to_s_avg":160992.7,"c_to_s_max":1031495,"c_to_s_stddev":259421.9,"s_to_c_min":975,"s_to_c_avg":147782.2,"s_to_c_max":979869,"s_to_c_stddev":234938.8},"pktlen": {"c_to_s_min":54,"c_to_s_avg":115.2,"c_to_s_max":590,"c_to_s_stddev":145.6,"s_to_c_min":54,"s_to_c_avg":2129.8,"s_to_c_max":8901,"s_to_c_stddev":2912.5}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570636151328,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636151328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570636151328,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.213.212","src_port":41726,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636151328,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570636151328,"pkt":"ABoRAAACABoRAAABCABFAAA8tbVAAEAGMwwKCAABch3V1KL+AbsYGndcAAAAAKACOQjFmAAAAgQFtAQCCAoATMLpAAAAAAEDAwY="} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636154295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570636154295,"pkt":"ABoRAAACABoRAAABCABFAAAoAY1AABAGF0lyHdXUCggAAQG7ov7n5YijGBp3XVAS\/\/+5HQAA"} @@ -222,9 +222,9 @@ 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":663,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1444570674487975,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570674499448,"pkt":"ABoRAAACABoRAAABCABFAAAoAklAABAGsB2t8wBuCggAAQG72XFdISYDot7Z\/VAS\/\/8cOwAA"} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":664,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1444570674500159,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570674500159,"pkt":"ABoRAAACABoRAAABCABFAAAoCB9AAEAGekcKCAABrfMAbtlxAbui3tn9XSEmBFAQOQjjMwAA"} 01141{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":665,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570674487975,"flow_src_last_pkt_time":1444570674600509,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570674600509,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01592{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":670,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669745822,"flow_src_last_pkt_time":1444570675008962,"flow_dst_last_pkt_time":1444570675008306,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":10527,"flow_src_tot_l4_payload_len":863,"flow_dst_tot_l4_payload_len":17665,"midstream":0,"thread_ts_usec":1444570675008962,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":142,"flow_avg":329228.2,"flow_max":2214636,"flow_stddev":542187.8,"c_to_s_min":142,"c_to_s_avg":329551.2,"c_to_s_max":2165090,"c_to_s_stddev":536872.5,"s_to_c_min":3176,"s_to_c_avg":328905.2,"s_to_c_max":2214636,"s_to_c_stddev":547451.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":109.2,"c_to_s_max":528,"c_to_s_stddev":133.8,"s_to_c_min":54,"s_to_c_avg":1158.1,"s_to_c_max":10581,"s_to_c_stddev":2602.2}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01592{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":670,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669745822,"flow_src_last_pkt_time":1444570675008962,"flow_dst_last_pkt_time":1444570675008306,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":10527,"flow_src_tot_l4_payload_len":863,"flow_dst_tot_l4_payload_len":17665,"midstream":0,"thread_ts_usec":1444570675008962,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":142,"flow_avg":339536.2,"flow_max":2214636,"flow_stddev":547768.4,"c_to_s_min":142,"c_to_s_avg":350876.0,"c_to_s_max":2165090,"c_to_s_stddev":547879.2,"s_to_c_min":3176,"s_to_c_avg":328905.2,"s_to_c_max":2214636,"s_to_c_stddev":547451.2},"pktlen": {"c_to_s_min":54,"c_to_s_avg":109.2,"c_to_s_max":528,"c_to_s_stddev":133.8,"s_to_c_min":54,"s_to_c_avg":1158.1,"s_to_c_max":10581,"s_to_c_stddev":2602.2}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01605{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":671,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570674487975,"flow_src_last_pkt_time":1444570674600509,"flow_dst_last_pkt_time":1444570675110598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":3907,"midstream":0,"thread_ts_usec":1444570675110598,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} -01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":675,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669736143,"flow_src_last_pkt_time":1444570675113022,"flow_dst_last_pkt_time":1444570675113218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":4673,"flow_dst_tot_l4_payload_len":3966,"midstream":0,"thread_ts_usec":1444570675113218,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":309,"flow_avg":493528.9,"flow_max":5038970,"flow_stddev":1006469.9,"c_to_s_min":367,"c_to_s_avg":650990.6,"c_to_s_max":5038970,"c_to_s_stddev":1275513.9,"s_to_c_min":309,"s_to_c_avg":336067.2,"s_to_c_max":2270107,"s_to_c_stddev":591133.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":347.3,"c_to_s_max":590,"c_to_s_stddev":213.6,"s_to_c_min":54,"s_to_c_avg":301.9,"s_to_c_max":3961,"s_to_c_stddev":944.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":675,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669736143,"flow_src_last_pkt_time":1444570675113022,"flow_dst_last_pkt_time":1444570675113218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":4673,"flow_dst_tot_l4_payload_len":3966,"midstream":0,"thread_ts_usec":1444570675113218,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":309,"flow_avg":346901.8,"flow_max":2270107,"flow_stddev":598058.5,"c_to_s_min":367,"c_to_s_avg":358458.6,"c_to_s_max":2270083,"c_to_s_stddev":605143.6,"s_to_c_min":309,"s_to_c_avg":336067.2,"s_to_c_max":2270107,"s_to_c_stddev":591133.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":347.3,"c_to_s_max":590,"c_to_s_stddev":213.6,"s_to_c_min":54,"s_to_c_avg":301.9,"s_to_c_max":3961,"s_to_c_stddev":944.9}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570675941714,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675941714,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570675941714,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51833,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675941714,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570675941714,"pkt":"ABoRAAACABoRAAABCABFAAA8SaRAAEAGwwMKCAABPm3lnsp5AbteGJvVAAAAAKACOQhIBAAAAgQFtAQCCAoATNJxAAAAAAEDAwY="} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":737,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675945842,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570675945842,"pkt":"ABoRAAACABoRAAABCABFAAAoAm5AABAGOk4+beWeCggAAQG7ynmh52QqXhib1lAS\/\/+1iAAA"} @@ -309,7 +309,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1491,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1444570719041198,"flow_dst_last_pkt_time":1444570719041198,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570719041198,"pkt":"ABoRAAACABoRAAABCABFAAA8mB5AAEAGdIkKCAABPm3lnsqTAbu3\/XtaAAAAAKACOQj9rAAAAgQFtAQCCAoATONEAAAAAAEDAwY="} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1444570719041198,"flow_dst_last_pkt_time":1444570719047347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570719047347,"pkt":"ABoRAAACABoRAAABCABFAAAoA+JAABAGONo+beWeCggAAQG7ypNIAoSlt\/17W1AS\/\/+1bgAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1494,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":3,"flow_src_last_pkt_time":1444570720045734,"flow_dst_last_pkt_time":1444570719047347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570720045734,"pkt":"ABoRAAACABoRAAABCABFAAAoAABAAEAGDLwKCAABPm3lnsqTAbu3\/XtbAAAAAFAEAACCJAAA"} -01588{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1495,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570716599098,"flow_src_last_pkt_time":1444570719040525,"flow_dst_last_pkt_time":1444570720047703,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":378,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":1559,"flow_dst_tot_l4_payload_len":4630,"midstream":0,"thread_ts_usec":1444570720047703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":213,"flow_avg":184115.4,"flow_max":1366658,"flow_stddev":348308.9,"c_to_s_min":213,"c_to_s_avg":152693.0,"c_to_s_max":1366658,"c_to_s_stddev":324797.2,"s_to_c_min":855,"s_to_c_avg":215537.8,"s_to_c_max":1312624,"s_to_c_stddev":367655.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":152.7,"c_to_s_max":432,"c_to_s_stddev":113.7,"s_to_c_min":54,"s_to_c_avg":343.4,"s_to_c_max":3961,"s_to_c_stddev":941.4}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01588{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1495,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570716599098,"flow_src_last_pkt_time":1444570719040525,"flow_dst_last_pkt_time":1444570720047703,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":378,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":1559,"flow_dst_tot_l4_payload_len":4630,"midstream":0,"thread_ts_usec":1444570720047703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":213,"flow_avg":190001.0,"flow_max":1366658,"flow_stddev":352312.5,"c_to_s_min":213,"c_to_s_avg":162761.8,"c_to_s_max":1366658,"c_to_s_stddev":333022.6,"s_to_c_min":855,"s_to_c_avg":215537.8,"s_to_c_max":1312624,"s_to_c_stddev":367655.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":152.7,"c_to_s_max":432,"c_to_s_stddev":113.7,"s_to_c_min":54,"s_to_c_avg":343.4,"s_to_c_max":3961,"s_to_c_stddev":941.4}},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1527,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570732086555,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732086555,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570732086555,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1527,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732086555,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570732086555,"pkt":"ABoRAAACABoRAAABCABFAAA8h\/tAAEAGidIKCAABPm3geMf2AbvHvWEvAAAAAKACOQgMSwAAAgQFtAQCCAoATObUAAAAAAEDAwY="} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1528,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732090067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570732090067,"pkt":"ABoRAAACABoRAAABCABFAAAoA+tAABAGPfc+beB4CggAAQG7x\/Y4Qp7Qx71hMFAS\/\/+9MQAA"} diff --git a/test/results/wechat.pcap.out b/test/results/wechat.pcap.out index c2cb9a016..ef0345044 100644 --- a/test/results/wechat.pcap.out +++ b/test/results/wechat.pcap.out @@ -87,7 +87,7 @@ 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_src_last_pkt_time":1492167355723894,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167356077508,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG700uz8YPYbAqDH6ASN8iq2QAAAgQFoAQCCApFrUFyADC8mAEDAwc="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_src_last_pkt_time":1492167356077551,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167356077551,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0P4dAAEAG1b3AqAFny82XotNLAbtsCoMfs\/GD2YAQAOUQHAAAAQEICgAwvPFFrUFy"} 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":133,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356077750,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167356077750,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":141,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353687624,"flow_src_last_pkt_time":1492167356095248,"flow_dst_last_pkt_time":1492167356095234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":5826,"flow_src_tot_l4_payload_len":4717,"flow_dst_tot_l4_payload_len":16498,"midstream":0,"thread_ts_usec":1492167356095248,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":287,"flow_avg":344706.4,"flow_max":6215371,"flow_stddev":1069292.0,"c_to_s_min":287,"c_to_s_avg":538937.2,"c_to_s_max":6215371,"c_to_s_stddev":1476491.0,"s_to_c_min":287,"s_to_c_avg":150475.6,"s_to_c_max":393374,"s_to_c_stddev":176901.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":361.3,"c_to_s_max":1306,"c_to_s_stddev":443.2,"s_to_c_min":66,"s_to_c_avg":1097.6,"s_to_c_max":5892,"s_to_c_stddev":1399.2}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01474{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":141,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353687624,"flow_src_last_pkt_time":1492167356095248,"flow_dst_last_pkt_time":1492167356095234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":5826,"flow_src_tot_l4_payload_len":4717,"flow_dst_tot_l4_payload_len":16498,"midstream":0,"thread_ts_usec":1492167356095248,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":287,"flow_avg":155330.1,"flow_max":410564,"flow_stddev":180667.8,"c_to_s_min":287,"c_to_s_avg":160508.3,"c_to_s_max":410564,"c_to_s_stddev":184459.6,"s_to_c_min":287,"s_to_c_avg":150475.6,"s_to_c_max":393374,"s_to_c_stddev":176901.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":361.3,"c_to_s_max":1306,"c_to_s_stddev":443.2,"s_to_c_min":66,"s_to_c_avg":1097.6,"s_to_c_max":5892,"s_to_c_stddev":1399.2}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":151,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356077750,"flow_dst_last_pkt_time":1492167356488969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167356488969,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01762{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":153,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356489000,"flow_dst_last_pkt_time":1492167356489253,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167356489253,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1492167345896252,"flow_dst_last_pkt_time":1492167360622900,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":121,"pkt_l4_len":87,"thread_ts_usec":1492167360622900,"pkt":"eJKcD6iO8IQvSpdgCABFoABrfSgAADcGnizYOs1OwKgBZwG7ugsgLP3V+HJvr4AYAV2wggAAAQEICvap78EAL9cAFwMDADI7\/WDixcApjMc4oo49oFJiwuyoshtW5rSqz9ahoHcSOkzcmjO3CkNO6pgK6XLAf2uLNg=="} @@ -132,9 +132,9 @@ 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167382020263,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382020263,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167382020263,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.211","src_port":40740,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382020263,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1492167382020263,"pkt":"8IQvSpdgeJKcD6iOCABFAAAokulAAEAGgjbAqAFny82X058kAbutvz98aYB+jlAQAdESKQAA"} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":304,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382374842,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1492167382374842,"pkt":"eJKcD6iO8IQvSpdgCABFoAAoL8xAAC4G9rPLzZfTwKgBZwG7nyRpgH6Orb8\/fVAQAIMTdgAAAADZK2u8"} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378674770,"flow_src_last_pkt_time":1492167386718697,"flow_dst_last_pkt_time":1492167385566065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8227,"flow_dst_tot_l4_payload_len":6835,"midstream":0,"thread_ts_usec":1492167386718697,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":435,"flow_avg":777225.5,"flow_max":9935993,"flow_stddev":1939588.6,"c_to_s_min":435,"c_to_s_avg":998884.4,"c_to_s_max":9935993,"c_to_s_stddev":2360467.8,"s_to_c_min":491,"s_to_c_avg":492235.3,"s_to_c_max":4544256,"s_to_c_stddev":1136099.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":523.5,"c_to_s_max":1306,"c_to_s_stddev":498.7,"s_to_c_min":66,"s_to_c_avg":554.8,"s_to_c_max":1754,"s_to_c_stddev":621.5}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":335,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378926091,"flow_src_last_pkt_time":1492167387133549,"flow_dst_last_pkt_time":1492167385164247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":8225,"flow_src_tot_l4_payload_len":6431,"flow_dst_tot_l4_payload_len":15757,"midstream":0,"thread_ts_usec":1492167387133549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":438,"flow_avg":769779.0,"flow_max":10187314,"flow_stddev":1877187.9,"c_to_s_min":438,"c_to_s_avg":1021931.8,"c_to_s_max":10187314,"c_to_s_stddev":2351462.5,"s_to_c_min":453,"s_to_c_avg":445582.6,"s_to_c_max":3383945,"s_to_c_stddev":870879.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":423.7,"c_to_s_max":1306,"c_to_s_stddev":471.1,"s_to_c_min":66,"s_to_c_avg":1192.6,"s_to_c_max":8291,"s_to_c_stddev":2067.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353674975,"flow_src_last_pkt_time":1492167387855952,"flow_dst_last_pkt_time":1492167387536614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":198,"flow_dst_max_l4_payload_len":1188,"flow_src_tot_l4_payload_len":1584,"flow_dst_tot_l4_payload_len":9504,"midstream":1,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":2167179.0,"flow_max":11774429,"flow_stddev":3288641.8,"c_to_s_min":5903,"c_to_s_avg":2218005.5,"c_to_s_max":11414547,"c_to_s_stddev":3200863.5,"s_to_c_min":67,"s_to_c_avg":2116352.5,"s_to_c_max":11774429,"s_to_c_stddev":3373371.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":165.0,"c_to_s_max":264,"c_to_s_stddev":99.0,"s_to_c_min":66,"s_to_c_avg":660.0,"s_to_c_max":1254,"s_to_c_stddev":594.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01476{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378674770,"flow_src_last_pkt_time":1492167386718697,"flow_dst_last_pkt_time":1492167385566065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8227,"flow_dst_tot_l4_payload_len":6835,"midstream":0,"thread_ts_usec":1492167386718697,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":435,"flow_avg":481781.3,"flow_max":4544256,"flow_stddev":1044110.9,"c_to_s_min":435,"c_to_s_avg":473172.2,"c_to_s_max":4139732,"c_to_s_stddev":961686.2,"s_to_c_min":491,"s_to_c_avg":492235.3,"s_to_c_max":4544256,"s_to_c_stddev":1136099.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":523.5,"c_to_s_max":1306,"c_to_s_stddev":498.7,"s_to_c_min":66,"s_to_c_avg":554.8,"s_to_c_max":1754,"s_to_c_stddev":621.5}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":335,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378926091,"flow_src_last_pkt_time":1492167387133549,"flow_dst_last_pkt_time":1492167385164247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":8225,"flow_src_tot_l4_payload_len":6431,"flow_dst_tot_l4_payload_len":15757,"midstream":0,"thread_ts_usec":1492167387133549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":438,"flow_avg":465987.6,"flow_max":3383945,"flow_stddev":827194.4,"c_to_s_min":438,"c_to_s_avg":482791.7,"c_to_s_max":3017858,"c_to_s_stddev":789009.4,"s_to_c_min":453,"s_to_c_avg":445582.6,"s_to_c_max":3383945,"s_to_c_stddev":870879.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":423.7,"c_to_s_max":1306,"c_to_s_stddev":471.1,"s_to_c_min":66,"s_to_c_avg":1192.6,"s_to_c_max":8291,"s_to_c_stddev":2067.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01349{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353674975,"flow_src_last_pkt_time":1492167387855952,"flow_dst_last_pkt_time":1492167387536614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":198,"flow_dst_max_l4_payload_len":1188,"flow_src_tot_l4_payload_len":1584,"flow_dst_tot_l4_payload_len":9504,"midstream":1,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":67,"flow_avg":2194923.0,"flow_max":11774429,"flow_stddev":3337575.2,"c_to_s_min":5903,"c_to_s_avg":2278731.8,"c_to_s_max":11414547,"c_to_s_stddev":3296901.5,"s_to_c_min":67,"s_to_c_avg":2116352.5,"s_to_c_max":11774429,"s_to_c_stddev":3373371.2},"pktlen": {"c_to_s_min":66,"c_to_s_avg":165.0,"c_to_s_max":264,"c_to_s_stddev":99.0,"s_to_c_min":66,"s_to_c_avg":660.0,"s_to_c_max":1254,"s_to_c_stddev":594.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"wechat.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1492167397120263,"flow_dst_last_pkt_time":1492167352122932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167397120263,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0ePJAAEAGFx3AqAFnQOmnvIyxFGy60MyoSq1b+oAQAO0gQAAAAQEICgAw5QaFnXDI"} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":354,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167400812629,"flow_dst_last_pkt_time":1492167400812629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167400812629,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":354,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_src_last_pkt_time":1492167400812629,"flow_dst_last_pkt_time":1492167400812629,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167400812629,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8voBAAEAGVrzAqAFny82XotNRAbuSN1YhAAAAAKACchAKOQAAAgQFtAQCCAoAMOihAAAAAAEDAwc="} @@ -152,10 +152,10 @@ 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":382,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402310146,"flow_dst_last_pkt_time":1492167401410519,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167402310146,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":389,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402503381,"flow_dst_last_pkt_time":1492167402665578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167402665578,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01762{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":391,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402665635,"flow_dst_last_pkt_time":1492167402666132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167402666132,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167418885540,"flow_dst_last_pkt_time":1492167414163142,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8690,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167418885540,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":652,"flow_avg":1083494.9,"flow_max":6862195,"flow_stddev":1956114.4,"c_to_s_min":698,"c_to_s_avg":1122174.9,"c_to_s_max":6493521,"c_to_s_stddev":1899072.2,"s_to_c_min":652,"s_to_c_avg":1026962.6,"s_to_c_max":6862195,"s_to_c_stddev":2035290.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":523.8,"c_to_s_max":1306,"c_to_s_stddev":478.8,"s_to_c_min":66,"s_to_c_avg":489.8,"s_to_c_max":1754,"s_to_c_stddev":582.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":454,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167421570947,"flow_dst_last_pkt_time":1492167421929069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":7047,"flow_dst_tot_l4_payload_len":5272,"midstream":0,"thread_ts_usec":1492167421929069,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":539,"flow_avg":1402253.2,"flow_max":6095000,"flow_stddev":2044604.8,"c_to_s_min":539,"c_to_s_avg":1263512.0,"c_to_s_max":5733723,"c_to_s_stddev":1885508.8,"s_to_c_min":554,"s_to_c_avg":1605028.9,"s_to_c_max":6095000,"s_to_c_stddev":2241652.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":437.3,"c_to_s_max":1306,"c_to_s_stddev":466.1,"s_to_c_min":66,"s_to_c_avg":472.8,"s_to_c_max":1754,"s_to_c_stddev":591.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167418885540,"flow_dst_last_pkt_time":1492167414163142,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8690,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167418885540,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":652,"flow_avg":1013658.8,"flow_max":6862195,"flow_stddev":1947754.9,"c_to_s_min":698,"c_to_s_avg":1004050.7,"c_to_s_max":6493521,"c_to_s_stddev":1881946.2,"s_to_c_min":652,"s_to_c_avg":1026962.6,"s_to_c_max":6862195,"s_to_c_stddev":2035290.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":523.8,"c_to_s_max":1306,"c_to_s_stddev":478.8,"s_to_c_min":66,"s_to_c_avg":489.8,"s_to_c_max":1754,"s_to_c_stddev":582.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01480{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":454,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167421570947,"flow_dst_last_pkt_time":1492167421929069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":7047,"flow_dst_tot_l4_payload_len":5272,"midstream":0,"thread_ts_usec":1492167421929069,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":539,"flow_avg":1334601.0,"flow_max":6095000,"flow_stddev":2041764.4,"c_to_s_min":539,"c_to_s_avg":1139291.9,"c_to_s_max":5733723,"c_to_s_stddev":1859964.6,"s_to_c_min":554,"s_to_c_avg":1605028.9,"s_to_c_max":6095000,"s_to_c_stddev":2241652.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":437.3,"c_to_s_max":1306,"c_to_s_stddev":466.1,"s_to_c_min":66,"s_to_c_avg":472.8,"s_to_c_max":1754,"s_to_c_stddev":591.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":466,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1492167422952271,"flow_dst_last_pkt_time":1492167377936495,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167422952271,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0KNBAAEAGqhvAqAFn2DrNjsJ7AbvMOVSD1yvysIAQAT2SvQAAAQEICgAw\/kAycps2"} -01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":473,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167342893680,"flow_src_last_pkt_time":1492167433192261,"flow_dst_last_pkt_time":1492167433240018,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":829,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1283,"flow_dst_tot_l4_payload_len":5138,"midstream":0,"thread_ts_usec":1492167433240018,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":53,"flow_avg":5646280.5,"flow_max":45056034,"flow_stddev":14893255.0,"c_to_s_min":208,"c_to_s_avg":5645915.0,"c_to_s_max":45056034,"c_to_s_stddev":14893349.0,"s_to_c_min":53,"s_to_c_avg":5646646.0,"s_to_c_max":45052882,"s_to_c_stddev":14893161.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":146.7,"c_to_s_max":895,"c_to_s_stddev":200.8,"s_to_c_min":66,"s_to_c_avg":387.6,"s_to_c_max":1484,"s_to_c_stddev":535.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01485{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":473,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167342893680,"flow_src_last_pkt_time":1492167433192261,"flow_dst_last_pkt_time":1492167433240018,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":829,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1283,"flow_dst_tot_l4_payload_len":5138,"midstream":0,"thread_ts_usec":1492167433240018,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":53,"flow_avg":5827255.0,"flow_max":45056034,"flow_stddev":15096891.0,"c_to_s_min":208,"c_to_s_avg":6019905.5,"c_to_s_max":45056034,"c_to_s_stddev":15308867.0,"s_to_c_min":53,"s_to_c_avg":5646646.0,"s_to_c_max":45052882,"s_to_c_stddev":14893161.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":146.7,"c_to_s_max":895,"c_to_s_stddev":200.8,"s_to_c_min":66,"s_to_c_avg":387.6,"s_to_c_max":1484,"s_to_c_stddev":535.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00717{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167440370306,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167440370306,"l3_proto":"ip4","src_ip":"192.168.1.254","dst_ip":"224.0.0.1","l4_proto":2,"flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":50,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":50,"pkt_l4_len":12,"thread_ts_usec":1492167440370306,"pkt":"AQBeAAAB8IQvSpdgCABGoAAkj9gAAAEC8bPAqAH+4AAAAZQEAAARZOybAAAAAAIAAAA="} 00823{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167440370306,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167440370306,"l3_proto":"ip4","src_ip":"192.168.1.254","dst_ip":"224.0.0.1","l4_proto":2,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -203,15 +203,15 @@ 01762{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":569,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167455501611,"flow_dst_last_pkt_time":1492167455502415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167455502415,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455528205,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167455528205,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455528205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167455528205,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8kudAAEAGglXAqAFny82XotNYAbvneYz3AAAAAKACchBIqgAAAgQFtAQCCAoAMR4QAAAAAAEDAwc="} -01475{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":587,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167452759446,"flow_src_last_pkt_time":1492167455588916,"flow_dst_last_pkt_time":1492167455588897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":10981,"midstream":0,"thread_ts_usec":1492167455588916,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":470,"flow_avg":323504.8,"flow_max":4693233,"flow_stddev":806795.3,"c_to_s_min":470,"c_to_s_avg":470168.9,"c_to_s_max":4693233,"c_to_s_stddev":1106859.5,"s_to_c_min":518,"s_to_c_avg":176840.7,"s_to_c_max":407097,"s_to_c_stddev":183517.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":458.2,"c_to_s_max":1306,"c_to_s_stddev":474.0,"s_to_c_min":66,"s_to_c_avg":752.8,"s_to_c_max":1754,"s_to_c_stddev":693.5}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01472{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":587,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167452759446,"flow_src_last_pkt_time":1492167455588916,"flow_dst_last_pkt_time":1492167455588897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":10981,"midstream":0,"thread_ts_usec":1492167455588916,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":470,"flow_avg":182545.8,"flow_max":469392,"flow_stddev":189984.8,"c_to_s_min":470,"c_to_s_avg":188631.3,"c_to_s_max":469392,"c_to_s_stddev":196466.2,"s_to_c_min":518,"s_to_c_avg":176840.7,"s_to_c_max":407097,"s_to_c_stddev":183517.8},"pktlen": {"c_to_s_min":66,"c_to_s_avg":458.2,"c_to_s_max":1306,"c_to_s_stddev":474.0,"s_to_c_min":66,"s_to_c_avg":752.8,"s_to_c_max":1754,"s_to_c_stddev":693.5}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":613,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167455891345,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG701iyhnqT53mM+KASN8htQwAAAgQFoAQCCApFraLqADEeEAEDAwc="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":614,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_src_last_pkt_time":1492167455891380,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167455891380,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0kuhAAEAGglzAqAFny82XotNYAbvneYz4soZ6lIAQAOXShAAAAQEICgAxHmpFraLq"} 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":615,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167455891558,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":648,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167456251036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167456251036,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01762{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":650,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167456251067,"flow_dst_last_pkt_time":1492167456251627,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167456251627,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01211{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":485,"flow_avg":136731.3,"flow_max":646724,"flow_stddev":182940.1,"c_to_s_min":485,"c_to_s_avg":157382.0,"c_to_s_max":376133,"c_to_s_stddev":167588.4,"s_to_c_min":489,"s_to_c_avg":118510.1,"s_to_c_max":646724,"s_to_c_stddev":193667.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":235.9,"c_to_s_max":1154,"c_to_s_stddev":365.8,"s_to_c_min":66,"s_to_c_avg":1357.2,"s_to_c_max":3134,"s_to_c_stddev":830.5}}} +01211{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":485,"flow_avg":129962.4,"flow_max":646724,"flow_stddev":181880.5,"c_to_s_min":485,"c_to_s_avg":143868.8,"c_to_s_max":376133,"c_to_s_stddev":165387.1,"s_to_c_min":489,"s_to_c_avg":118510.1,"s_to_c_max":646724,"s_to_c_stddev":193667.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":235.9,"c_to_s_max":1154,"c_to_s_stddev":365.8,"s_to_c_min":66,"s_to_c_avg":1357.2,"s_to_c_max":3134,"s_to_c_stddev":830.5}}} 01767{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":383,"flow_avg":208811.2,"flow_max":951677,"flow_stddev":230575.8,"c_to_s_min":383,"c_to_s_avg":199010.4,"c_to_s_max":543113,"c_to_s_stddev":202022.4,"s_to_c_min":549,"s_to_c_avg":219918.9,"s_to_c_max":951677,"s_to_c_stddev":258712.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":435.1,"c_to_s_max":1306,"c_to_s_stddev":469.0,"s_to_c_min":66,"s_to_c_avg":695.8,"s_to_c_max":1754,"s_to_c_stddev":693.0}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01471{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":383,"flow_avg":212782.5,"flow_max":951677,"flow_stddev":233185.6,"c_to_s_min":383,"c_to_s_avg":206092.1,"c_to_s_max":543113,"c_to_s_stddev":206182.7,"s_to_c_min":549,"s_to_c_avg":219918.9,"s_to_c_max":951677,"s_to_c_stddev":258712.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":435.1,"c_to_s_max":1306,"c_to_s_stddev":469.0,"s_to_c_min":66,"s_to_c_avg":695.8,"s_to_c_max":1754,"s_to_c_stddev":693.0}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00863{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00760{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00860{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1492167353687522,"flow_src_last_pkt_time":1492167354015579,"flow_dst_last_pkt_time":1492167354015537,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54085,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -289,7 +289,7 @@ 01042{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":943,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648583174,"flow_dst_last_pkt_time":1492167648582668,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167648583174,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":945,"source":"wechat.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1492167648494081,"flow_dst_last_pkt_time":1492167648873395,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167648873395,"pkt":"eJKcD6iO8IQvSpdgCABFoAA0AABAADEGHSXLzZ4iwKgBZwG7q0tO\/rLJEoYlf4ASOQgjJgAAAgQFtAEBBAIBAwMH"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":946,"source":"wechat.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1492167648873492,"flow_dst_last_pkt_time":1492167648873395,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1492167648873492,"pkt":"8IQvSpdgeJKcD6iOCABFAAAoAABAAEAGDtHAqAFny82eIqtLAbsShiV\/Tv6yylAQAOWcGwAA"} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":947,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167639887918,"flow_src_last_pkt_time":1492167648260043,"flow_dst_last_pkt_time":1492167648882009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7218,"midstream":0,"thread_ts_usec":1492167648882009,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":441,"flow_avg":560935.1,"flow_max":6615415,"flow_stddev":1527565.6,"c_to_s_min":441,"c_to_s_avg":526813.6,"c_to_s_max":6259002,"c_to_s_stddev":1445241.8,"s_to_c_min":471,"s_to_c_avg":599606.1,"s_to_c_max":6615415,"s_to_c_stddev":1614932.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":443.2,"c_to_s_max":1306,"c_to_s_stddev":474.3,"s_to_c_min":66,"s_to_c_avg":547.7,"s_to_c_max":1494,"s_to_c_stddev":614.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":947,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167639887918,"flow_src_last_pkt_time":1492167648260043,"flow_dst_last_pkt_time":1492167648882009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7218,"midstream":0,"thread_ts_usec":1492167648882009,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":441,"flow_avg":560200.5,"flow_max":6615415,"flow_stddev":1552002.6,"c_to_s_min":441,"c_to_s_avg":523257.8,"c_to_s_max":6259002,"c_to_s_stddev":1489649.0,"s_to_c_min":471,"s_to_c_avg":599606.1,"s_to_c_max":6615415,"s_to_c_stddev":1614932.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":443.2,"c_to_s_max":1306,"c_to_s_stddev":474.3,"s_to_c_min":66,"s_to_c_avg":547.7,"s_to_c_max":1494,"s_to_c_stddev":614.6}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 01214{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":968,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648583174,"flow_dst_last_pkt_time":1492167648902355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1492167648902355,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1"}}} 01882{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":970,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648902391,"flow_dst_last_pkt_time":1492167648903691,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3430,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4890,"midstream":0,"thread_ts_usec":1492167648903691,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","server_names":"wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=wx.qq.com","alpn":"h2,http\/1.1","fingerprint":"67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9"}}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167650311981,"flow_src_last_pkt_time":1492167650311981,"flow_dst_last_pkt_time":1492167650311981,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167650311981,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -322,9 +322,9 @@ 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1077,"source":"wechat.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167695488485,"flow_src_last_pkt_time":1492167696636507,"flow_dst_last_pkt_time":1492167697005590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167697005590,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54118,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01763{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1079,"source":"wechat.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167695488485,"flow_src_last_pkt_time":1492167697005638,"flow_dst_last_pkt_time":1492167697006161,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167697006161,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54118,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1088,"source":"wechat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1492167697384234,"flow_dst_last_pkt_time":1492167449288224,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":54,"pkt_l4_len":16,"thread_ts_usec":1492167697384234,"pkt":"AQBeAAAWeJKcD6iOCABGwAAoAABAAAECQerAqAFn4AAAFpQEAAAiAPsCAAAAAQIAAADgAAD7"} -01482{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1102,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167695237173,"flow_src_last_pkt_time":1492167705300255,"flow_dst_last_pkt_time":1492167705261666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":7069,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167705300255,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":370,"flow_avg":1665141.4,"flow_max":33196948,"flow_stddev":5945428.0,"c_to_s_min":370,"c_to_s_avg":2403335.0,"c_to_s_max":33196948,"c_to_s_stddev":7653138.5,"s_to_c_min":391,"s_to_c_avg":716035.2,"s_to_c_max":7806976,"s_to_c_stddev":1972128.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":459.2,"c_to_s_max":1306,"c_to_s_stddev":470.6,"s_to_c_min":66,"s_to_c_avg":459.6,"s_to_c_max":1494,"s_to_c_stddev":523.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01323{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1112,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329924,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":304,"flow_avg":11735537.0,"flow_max":183800554,"flow_stddev":32839590.0,"c_to_s_min":304,"c_to_s_avg":11735537.0,"c_to_s_max":183800554,"c_to_s_stddev":32839590.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":82,"c_to_s_avg":82.0,"c_to_s_max":82,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1113,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329983,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":285,"flow_avg":11735539.0,"flow_max":183800433,"flow_stddev":32839558.0,"c_to_s_min":285,"c_to_s_avg":11735539.0,"c_to_s_max":183800433,"c_to_s_stddev":32839558.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":102,"c_to_s_avg":102.0,"c_to_s_max":102,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1102,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167695237173,"flow_src_last_pkt_time":1492167705300255,"flow_dst_last_pkt_time":1492167705261666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":7069,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167705300255,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":370,"flow_avg":647986.3,"flow_max":7806976,"flow_stddev":1838759.0,"c_to_s_min":370,"c_to_s_avg":591946.0,"c_to_s_max":7430680,"c_to_s_stddev":1719162.2,"s_to_c_min":391,"s_to_c_avg":716035.2,"s_to_c_max":7806976,"s_to_c_stddev":1972128.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":459.2,"c_to_s_max":1306,"c_to_s_stddev":470.6,"s_to_c_min":66,"s_to_c_avg":459.6,"s_to_c_max":1494,"s_to_c_stddev":523.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01323{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1112,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329924,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":304,"flow_avg":12093665.0,"flow_max":183800554,"flow_stddev":33303494.0,"c_to_s_min":304,"c_to_s_avg":12093665.0,"c_to_s_max":183800554,"c_to_s_stddev":33303494.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":82,"c_to_s_avg":82.0,"c_to_s_max":82,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01335{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1113,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329983,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":285,"flow_avg":12093665.0,"flow_max":183800433,"flow_stddev":33303466.0,"c_to_s_min":285,"c_to_s_avg":12093665.0,"c_to_s_max":183800433,"c_to_s_stddev":33303466.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0},"pktlen": {"c_to_s_min":102,"c_to_s_avg":102.0,"c_to_s_max":102,"c_to_s_stddev":0.0,"s_to_c_min":0,"s_to_c_avg":0.0,"s_to_c_max":0,"s_to_c_stddev":0.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167720101930,"flow_dst_last_pkt_time":1492167720101930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167720101930,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1492167720101930,"flow_dst_last_pkt_time":1492167720101930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167720101930,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8R8JAAEAGzXrAqAFny82XotNnAbsR+WetAAAAAKACchBBBgAAAgQFtAQCCAoAMiBvAAAAAAEDAwc="} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1128,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167720353253,"flow_src_last_pkt_time":1492167720353253,"flow_dst_last_pkt_time":1492167720353253,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167720353253,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -339,7 +339,7 @@ 01050{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1159,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167720353253,"flow_src_last_pkt_time":1492167722010515,"flow_dst_last_pkt_time":1492167720700672,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722010515,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1166,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167720353253,"flow_src_last_pkt_time":1492167722071030,"flow_dst_last_pkt_time":1492167722364483,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167722364483,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01763{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1168,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167720353253,"flow_src_last_pkt_time":1492167722364537,"flow_dst_last_pkt_time":1492167722365024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167722365024,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1181,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167729700517,"flow_dst_last_pkt_time":1492167729700473,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7217,"midstream":0,"thread_ts_usec":1492167729700517,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":333,"flow_avg":749962.8,"flow_max":7132743,"flow_stddev":1792391.2,"c_to_s_min":334,"c_to_s_avg":847074.4,"c_to_s_max":6695589,"c_to_s_stddev":1829375.9,"s_to_c_min":333,"s_to_c_avg":639902.9,"s_to_c_max":7132743,"s_to_c_stddev":1743001.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":443.2,"c_to_s_max":1306,"c_to_s_stddev":474.3,"s_to_c_min":66,"s_to_c_avg":547.7,"s_to_c_max":1494,"s_to_c_stddev":614.7}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01478{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1181,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167729700517,"flow_dst_last_pkt_time":1492167729700473,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7217,"midstream":0,"thread_ts_usec":1492167729700517,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":333,"flow_avg":619262.2,"flow_max":7132743,"flow_stddev":1664228.6,"c_to_s_min":334,"c_to_s_avg":599911.7,"c_to_s_max":6695589,"c_to_s_stddev":1586587.5,"s_to_c_min":333,"s_to_c_avg":639902.9,"s_to_c_max":7132743,"s_to_c_stddev":1743001.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":443.2,"c_to_s_max":1306,"c_to_s_stddev":474.3,"s_to_c_min":66,"s_to_c_avg":547.7,"s_to_c_max":1494,"s_to_c_stddev":614.7}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247730,"flow_src_last_pkt_time":1492167617247730,"flow_dst_last_pkt_time":1492167617598882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00758{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247730,"flow_src_last_pkt_time":1492167617247730,"flow_dst_last_pkt_time":1492167617598882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247977,"flow_src_last_pkt_time":1492167617247977,"flow_dst_last_pkt_time":1492167617562993,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54110,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -374,7 +374,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1266,"source":"wechat.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_src_last_pkt_time":1492167777476579,"flow_dst_last_pkt_time":1492167777476493,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167777476579,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0XvtAAEAGukDAqAFny82Tq+K3Abv08QbKs2vgPoAQAOVlIAAAAQEICgAyWHdFrtz+"} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1268,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167777221018,"flow_dst_last_pkt_time":1492167777494071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167777494071,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01763{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1270,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167777494128,"flow_dst_last_pkt_time":1492167777494665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167777494665,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1310,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167781392220,"flow_dst_last_pkt_time":1492167781372855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8609,"flow_dst_tot_l4_payload_len":6923,"midstream":0,"thread_ts_usec":1492167781392220,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":433,"flow_avg":579283.6,"flow_max":9679760,"flow_stddev":1726614.2,"c_to_s_min":433,"c_to_s_avg":743057.9,"c_to_s_max":9679760,"c_to_s_stddev":2162158.0,"s_to_c_min":594,"s_to_c_avg":339921.2,"s_to_c_max":2508511,"s_to_c_stddev":639724.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":519.5,"c_to_s_max":1306,"c_to_s_stddev":486.1,"s_to_c_min":66,"s_to_c_avg":599.2,"s_to_c_max":1754,"s_to_c_stddev":653.2}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +01475{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1310,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167781392220,"flow_dst_last_pkt_time":1492167781372855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8609,"flow_dst_tot_l4_payload_len":6923,"midstream":0,"thread_ts_usec":1492167781392220,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":433,"flow_avg":285719.9,"flow_max":2508511,"flow_stddev":565344.7,"c_to_s_min":433,"c_to_s_avg":246574.5,"c_to_s_max":2227616,"c_to_s_stddev":501224.1,"s_to_c_min":594,"s_to_c_avg":339921.2,"s_to_c_max":2508511,"s_to_c_stddev":639724.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":519.5,"c_to_s_max":1306,"c_to_s_stddev":486.1,"s_to_c_min":66,"s_to_c_avg":599.2,"s_to_c_max":1754,"s_to_c_stddev":653.2}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167619048267,"flow_src_last_pkt_time":1492167654504261,"flow_dst_last_pkt_time":1492167619048267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167782480271,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00758{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167619048267,"flow_src_last_pkt_time":1492167654504261,"flow_dst_last_pkt_time":1492167619048267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167782480271,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167788126900,"flow_src_last_pkt_time":1492167788126900,"flow_dst_last_pkt_time":1492167788126900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167788126900,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -457,7 +457,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1432,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":3,"flow_src_last_pkt_time":1492167866495436,"flow_dst_last_pkt_time":1492167866495347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167866495436,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0hOhAAEAGlFPAqAFny82Tq+K5AbuucSvGejQMP4AQAOXl+wAAAQEICgAyr2VFrzPt"} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1434,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167866243873,"flow_dst_last_pkt_time":1492167866514555,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167866514555,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01763{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1436,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167866514612,"flow_dst_last_pkt_time":1492167866514947,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167866514947,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01217{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":856295.6,"flow_max":21774775,"flow_stddev":3773003.5,"c_to_s_min":11,"c_to_s_avg":1229638.1,"c_to_s_max":21774775,"c_to_s_stddev":4722098.5,"s_to_c_min":392,"s_to_c_avg":234058.2,"s_to_c_max":1577028,"s_to_c_stddev":422251.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":681.0,"c_to_s_max":1494,"c_to_s_stddev":612.6,"s_to_c_min":66,"s_to_c_avg":357.4,"s_to_c_max":1494,"s_to_c_stddev":515.7}}} +01212{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":181506.0,"flow_max":1577028,"flow_stddev":351924.9,"c_to_s_min":11,"c_to_s_avg":148315.1,"c_to_s_max":1255603,"c_to_s_stddev":294311.1,"s_to_c_min":392,"s_to_c_avg":234058.2,"s_to_c_max":1577028,"s_to_c_stddev":422251.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":681.0,"c_to_s_max":1494,"c_to_s_stddev":612.6,"s_to_c_min":66,"s_to_c_avg":357.4,"s_to_c_max":1494,"s_to_c_stddev":515.7}}} 01768{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 01050{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1478,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167867786741,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167871050375,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1484,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167871323158,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167871323158,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} diff --git a/test/results/weibo.pcap.out b/test/results/weibo.pcap.out index e27899ef0..06c1950a0 100644 --- a/test/results/weibo.pcap.out +++ b/test/results/weibo.pcap.out @@ -55,7 +55,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":53,"source":"weibo.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1463089072046092,"flow_dst_last_pkt_time":1463089072070732,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1463089072070732,"pkt":"eJKcD6iOkDVu60UQCABFAAA0NhEAADYG4CXYOtRBwKgBaQG7h4sGjBrJ+KmsNoAQAV6y1gAAAQEICiUZAmMAQNzC"} 01146{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":54,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089071642772,"flow_dst_last_pkt_time":1463089072125117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":5,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":5,"midstream":0,"thread_ts_usec":1463089072125117,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.weibo.com","http": {"url":"www.weibo.com\/login.php?lang=en-us","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.102 Safari\/537.36","detected_os":"Linux x86_64"}}} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":64,"source":"weibo.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1463089071994093,"flow_dst_last_pkt_time":1463089072138578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1463089072138578,"pkt":"eJKcD6iOkDVu60UQCABFAAA0XohAABsGZHc24aPSwKgBaQG7nfhaPbwDA69SioAQAIjCywAAAQEICgEjLGEAQNyy"} -01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":83,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089072230888,"flow_dst_last_pkt_time":1463089072285673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":12066,"midstream":0,"thread_ts_usec":1463089072285673,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":21,"flow_avg":42248.1,"flow_max":482409,"flow_stddev":112053.9,"c_to_s_min":21,"c_to_s_avg":42469.4,"c_to_s_max":482409,"c_to_s_stddev":115566.9,"s_to_c_min":24,"s_to_c_avg":42026.7,"s_to_c_max":454492,"s_to_c_stddev":108426.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.6,"c_to_s_max":516,"c_to_s_stddev":106.7,"s_to_c_min":66,"s_to_c_avg":820.6,"s_to_c_max":2938,"s_to_c_stddev":832.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01354{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":83,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089072230888,"flow_dst_last_pkt_time":1463089072285673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":12066,"midstream":0,"thread_ts_usec":1463089072285673,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":21,"flow_avg":41615.1,"flow_max":482409,"flow_stddev":113790.6,"c_to_s_min":21,"c_to_s_avg":41176.1,"c_to_s_max":482409,"c_to_s_stddev":119244.9,"s_to_c_min":24,"s_to_c_avg":42026.7,"s_to_c_max":454492,"s_to_c_stddev":108426.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":103.6,"c_to_s_max":516,"c_to_s_stddev":106.7,"s_to_c_min":66,"s_to_c_avg":820.6,"s_to_c_max":2938,"s_to_c_stddev":832.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072333305,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072333305,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"thread_ts_usec":1463089072333305,"pkt":"kDVu60UQeJKcD6iOCABFAAA9J7BAAEARj0XAqAFpwKgBAdEnADUAKd+0rc0BAAABAAAAAAAAA2ltZwF0BnNpbmFqcwJjbgAAAQAB"} 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072333305,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072333305,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"img.t.sinajs.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -79,8 +79,8 @@ 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072885992,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072885992,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089072885992,"pkt":"kDVu60UQeJKcD6iOCABFAAA8J\/lAAEARjv3AqAFpwKgBAaGIADUAKAcnK+gBAAABAAAAAAAAAmpzAXQGc2luYWpzAmNuAAABAAE="} 01004{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072885992,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072885992,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"js.t.sinajs.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":202,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445053,"flow_src_last_pkt_time":1463089073026834,"flow_dst_last_pkt_time":1463089073029617,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":432,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":432,"flow_dst_tot_l4_payload_len":20099,"midstream":0,"thread_ts_usec":1463089073029617,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":38,"flow_avg":39940.4,"flow_max":314329,"flow_stddev":71573.7,"c_to_s_min":38,"c_to_s_avg":43345.6,"c_to_s_max":314329,"c_to_s_stddev":76030.7,"s_to_c_min":59,"s_to_c_avg":36535.2,"s_to_c_max":283150,"s_to_c_stddev":66646.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":98.8,"c_to_s_max":498,"c_to_s_stddev":103.2,"s_to_c_min":66,"s_to_c_avg":1322.7,"s_to_c_max":2938,"s_to_c_stddev":789.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":218,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445019,"flow_src_last_pkt_time":1463089073075846,"flow_dst_last_pkt_time":1463089073079547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":420,"flow_dst_max_l4_payload_len":4308,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":24521,"midstream":0,"thread_ts_usec":1463089073079547,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":151,"flow_avg":43033.4,"flow_max":400547,"flow_stddev":92172.9,"c_to_s_min":151,"c_to_s_avg":46408.8,"c_to_s_max":400547,"c_to_s_stddev":96112.0,"s_to_c_min":2804,"s_to_c_avg":39658.0,"s_to_c_max":372448,"s_to_c_stddev":87928.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":96.5,"c_to_s_max":486,"c_to_s_stddev":100.7,"s_to_c_min":66,"s_to_c_avg":1599.1,"s_to_c_max":4374,"s_to_c_stddev":1251.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":202,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445053,"flow_src_last_pkt_time":1463089073026834,"flow_dst_last_pkt_time":1463089073029617,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":432,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":432,"flow_dst_tot_l4_payload_len":20099,"midstream":0,"thread_ts_usec":1463089073029617,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":38,"flow_avg":37624.0,"flow_max":314329,"flow_stddev":71528.6,"c_to_s_min":38,"c_to_s_avg":38785.4,"c_to_s_max":314329,"c_to_s_stddev":76376.2,"s_to_c_min":59,"s_to_c_avg":36535.2,"s_to_c_max":283150,"s_to_c_stddev":66646.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":98.8,"c_to_s_max":498,"c_to_s_stddev":103.2,"s_to_c_min":66,"s_to_c_avg":1322.7,"s_to_c_max":2938,"s_to_c_stddev":789.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":218,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445019,"flow_src_last_pkt_time":1463089073075846,"flow_dst_last_pkt_time":1463089073079547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":420,"flow_dst_max_l4_payload_len":4308,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":24521,"midstream":0,"thread_ts_usec":1463089073079547,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":151,"flow_avg":40817.9,"flow_max":400547,"flow_stddev":92805.4,"c_to_s_min":151,"c_to_s_avg":42055.1,"c_to_s_max":400547,"c_to_s_stddev":97724.5,"s_to_c_min":2804,"s_to_c_avg":39658.0,"s_to_c_max":372448,"s_to_c_stddev":87928.4},"pktlen": {"c_to_s_min":66,"c_to_s_avg":96.5,"c_to_s_max":486,"c_to_s_stddev":100.7,"s_to_c_min":66,"s_to_c_avg":1599.1,"s_to_c_max":4374,"s_to_c_stddev":1251.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073286278,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073286278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1463089073286278,"pkt":"kDVu60UQeJKcD6iOCABFAABDKCFAAEARjs7AqAFpwKgBAUZzADUAL2deWFEBAAABAAAAAAAAAnUxA2ltZwZtb2JpbGUEc2luYQJjbgAAAQAB"} 01011{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073286278,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073286278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"u1.img.mobile.sina.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -173,9 +173,9 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"weibo.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073788865,"flow_dst_last_pkt_time":1463089073788865,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089073788865,"pkt":"kDVu60UQeJKcD6iOCABFAAA8M4FAAEAGYnrAqAFpKpy4E8wyAbubxznpAAAAAKACchCC5wAAAgQFtAQCCAoAQQpoAAAAAAEDAwc="} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":441,"source":"weibo.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073789999,"flow_src_last_pkt_time":1463089073789999,"flow_dst_last_pkt_time":1463089073789999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073789999,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.170.63","src_port":47723,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"weibo.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073789999,"flow_dst_last_pkt_time":1463089073789999,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089073789999,"pkt":"kDVu60UQeJKcD6iOCABFAAA8F+ZAAEAGKbjAqAFpjM2qP7prAbvY7h2OAAAAAKACchAfhQAAAgQFtAQCCAoAQQpoAAAAAAEDAwc="} -01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":444,"source":"weibo.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445071,"flow_src_last_pkt_time":1463089073791996,"flow_dst_last_pkt_time":1463089073794639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":459,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":13850,"midstream":0,"thread_ts_usec":1463089073794639,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35805,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":259,"flow_avg":87758.1,"flow_max":438815,"flow_stddev":117531.2,"c_to_s_min":259,"c_to_s_avg":91168.2,"c_to_s_max":375915,"c_to_s_stddev":112564.0,"s_to_c_min":2661,"s_to_c_avg":84348.0,"s_to_c_max":438815,"s_to_c_stddev":122201.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":123.8,"c_to_s_max":525,"c_to_s_stddev":142.7,"s_to_c_min":66,"s_to_c_avg":932.1,"s_to_c_max":1502,"s_to_c_stddev":568.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":450,"source":"weibo.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073321163,"flow_src_last_pkt_time":1463089073801051,"flow_dst_last_pkt_time":1463089073804152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":484,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":484,"flow_dst_tot_l4_payload_len":18086,"midstream":0,"thread_ts_usec":1463089073804152,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35807,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":142,"flow_avg":41903.0,"flow_max":378020,"flow_stddev":80837.6,"c_to_s_min":142,"c_to_s_avg":53619.2,"c_to_s_max":378020,"c_to_s_stddev":100538.0,"s_to_c_min":2451,"s_to_c_avg":30186.8,"s_to_c_max":162100,"s_to_c_stddev":51836.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":97.5,"c_to_s_max":550,"c_to_s_stddev":116.9,"s_to_c_min":66,"s_to_c_avg":1196.9,"s_to_c_max":1502,"s_to_c_stddev":539.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":495,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073334322,"flow_src_last_pkt_time":1463089073888564,"flow_dst_last_pkt_time":1463089073891278,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":473,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":473,"flow_dst_tot_l4_payload_len":18114,"midstream":0,"thread_ts_usec":1463089073891278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":137,"flow_avg":46949.3,"flow_max":391179,"flow_stddev":82555.8,"c_to_s_min":137,"c_to_s_avg":59088.8,"c_to_s_max":391179,"c_to_s_stddev":105413.3,"s_to_c_min":2552,"s_to_c_avg":34809.8,"s_to_c_max":181460,"s_to_c_stddev":47161.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":96.8,"c_to_s_max":539,"c_to_s_stddev":114.2,"s_to_c_min":66,"s_to_c_avg":1198.6,"s_to_c_max":1502,"s_to_c_stddev":536.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":444,"source":"weibo.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445071,"flow_src_last_pkt_time":1463089073791996,"flow_dst_last_pkt_time":1463089073794639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":459,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":13850,"midstream":0,"thread_ts_usec":1463089073794639,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35805,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":259,"flow_avg":86983.6,"flow_max":438815,"flow_stddev":119331.4,"c_to_s_min":259,"c_to_s_avg":89795.0,"c_to_s_max":375915,"c_to_s_stddev":116125.7,"s_to_c_min":2661,"s_to_c_avg":84348.0,"s_to_c_max":438815,"s_to_c_stddev":122201.7},"pktlen": {"c_to_s_min":66,"c_to_s_avg":123.8,"c_to_s_max":525,"c_to_s_stddev":142.7,"s_to_c_min":66,"s_to_c_avg":932.1,"s_to_c_max":1502,"s_to_c_stddev":568.1}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":450,"source":"weibo.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073321163,"flow_src_last_pkt_time":1463089073801051,"flow_dst_last_pkt_time":1463089073804152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":484,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":484,"flow_dst_tot_l4_payload_len":18086,"midstream":0,"thread_ts_usec":1463089073804152,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35807,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":142,"flow_avg":31060.5,"flow_max":183686,"flow_stddev":54622.5,"c_to_s_min":142,"c_to_s_avg":31992.5,"c_to_s_max":183686,"c_to_s_stddev":57431.0,"s_to_c_min":2451,"s_to_c_avg":30186.8,"s_to_c_max":162100,"s_to_c_stddev":51836.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":97.5,"c_to_s_max":550,"c_to_s_stddev":116.9,"s_to_c_min":66,"s_to_c_avg":1196.9,"s_to_c_max":1502,"s_to_c_stddev":539.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":495,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073334322,"flow_src_last_pkt_time":1463089073888564,"flow_dst_last_pkt_time":1463089073891278,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":473,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":473,"flow_dst_tot_l4_payload_len":18114,"midstream":0,"thread_ts_usec":1463089073891278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":137,"flow_avg":35845.1,"flow_max":252228,"flow_stddev":55584.3,"c_to_s_min":137,"c_to_s_avg":36949.5,"c_to_s_max":252228,"c_to_s_stddev":63327.3,"s_to_c_min":2552,"s_to_c_avg":34809.8,"s_to_c_max":181460,"s_to_c_stddev":47161.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":96.8,"c_to_s_max":539,"c_to_s_stddev":114.2,"s_to_c_min":66,"s_to_c_avg":1198.6,"s_to_c_max":1502,"s_to_c_stddev":536.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00757{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1463089073394759,"flow_src_last_pkt_time":1463089073773797,"flow_dst_last_pkt_time":1463089073773608,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":428,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":428,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42275,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00886{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073537120,"flow_src_last_pkt_time":1463089073537120,"flow_dst_last_pkt_time":1463089073537120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00753{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073537120,"flow_src_last_pkt_time":1463089073537120,"flow_dst_last_pkt_time":1463089073537120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} diff --git a/test/results/whatsapp_login_call.pcap.out b/test/results/whatsapp_login_call.pcap.out index bda1cd35a..3d9f7e5ec 100644 --- a/test/results/whatsapp_login_call.pcap.out +++ b/test/results/whatsapp_login_call.pcap.out @@ -72,16 +72,16 @@ 01184{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228503997,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":540,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":540,"pkt_l4_len":506,"thread_ts_usec":1432582228504689,"pkt":"xiwDYGpkAPS5Jrv0CABFAAIO1F9AAEAGq2HAqAIEEW7lDsApFGe4aFEm1IsaTIAYIACssAAAAQEICi36MxJvhmvfY2JtdD6CZ3s26zaizYDBa1\/xV9+nfluOxtxa1tx195Jafsz52yXEOESrPvfo4L8JAAp0DYIaansHyOlB83T10iMEgMWpntVaGhVYz7Ui4c09FkbWN9q+65\/aqUq4TUrgzMyqE5QUWhXZSc\/uGC0icKHu+b2FL4NHGUs7nYDs8Xc0v0flHk5486jecRIc\/ROiqHyACG3C0wwDLYD5dPHsc+oO3YTdMQHp\/Y5aWShkoF9bF0dA6YegCOYLbVQKFU7DAdWxqhRRjje8xXf+tC7iVD+agcMxzHZHBdPvzUlsa6Hnp2KvOrzs9LBI3\/AlWnTDSOZNp+mWgK4MB2zxE5cEBsbimybYF8snsRtPtIBkMUfF1XAd9wg4sSCboXV1ik63xPuzTMdOxIRWWE26PTSksHKRu47JqvdF18Y85LvvQvIIft9jAMxZNM1JpDNK3xHTwcbI8OJ5ZzkwaDArtx1Yo+du+Za4kNeW1j1f7jlL58\/xs\/9pH231BKAPZrpjtiVLnSRVafACBd5M5lgbO1u\/aSBlmIQ\/UK6DM\/jen1DGM+xWiz3ABAYXKSpL6XfsJZ+dpwtcFktAw18x3fF8GSC0\/zgV+SA55WfIkN+qTLtYiq6ct7jHTceCT8cS"} 00878{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":82,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582228593505,"flow_dst_last_pkt_time":1432582228041916,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":166,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":166,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582228593505,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228753368,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582228753368,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0JuMAAC8Gq7gRbuUOwKgCBBRnwCnUixpMuGhRJoAQAQ6R7QAAAQEICm+GjQ4t+jMS"} -01212{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":118587.3,"flow_max":712466,"flow_stddev":176795.8,"c_to_s_min":9,"c_to_s_avg":99050.8,"c_to_s_max":405162,"c_to_s_stddev":146783.4,"s_to_c_min":35,"s_to_c_avg":143705.7,"s_to_c_max":712466,"s_to_c_stddev":206448.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":415.7,"c_to_s_max":1494,"c_to_s_stddev":580.9,"s_to_c_min":54,"s_to_c_avg":487.0,"s_to_c_max":1494,"s_to_c_stddev":610.4}}} +01213{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":9,"flow_avg":119895.3,"flow_max":712466,"flow_stddev":179472.3,"c_to_s_min":9,"c_to_s_avg":100286.6,"c_to_s_max":405162,"c_to_s_stddev":150947.8,"s_to_c_min":35,"s_to_c_avg":143705.7,"s_to_c_max":712466,"s_to_c_stddev":206448.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":415.7,"c_to_s_max":1494,"c_to_s_stddev":580.9,"s_to_c_min":54,"s_to_c_avg":487.0,"s_to_c_max":1494,"s_to_c_stddev":610.4}}} 01609{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"query.ess.apple.com","tls": {"version":"TLSv1.2","server_names":"*.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US","fingerprint":"BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B"}}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":137,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230648273,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1432582230648273,"pkt":"xiwDYGpkAPS5Jrv0CABFAABAZppAAEAGvV7AqAIEEa1CZsA0AbuMr4Y\/AAAAALAC\/\/\/iDQAAAgQFtAEDAwQBAQgKLfo7WAAAAAAEAgAA"} -01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":194350.6,"flow_max":709350,"flow_stddev":170559.6,"c_to_s_min":276,"c_to_s_avg":179643.5,"c_to_s_max":708056,"c_to_s_stddev":159062.6,"s_to_c_min":4,"s_to_c_avg":212209.2,"s_to_c_max":709350,"s_to_c_stddev":181963.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":134.9,"c_to_s_max":267,"c_to_s_stddev":77.7,"s_to_c_min":66,"s_to_c_avg":96.2,"s_to_c_max":144,"s_to_c_stddev":16.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":199246.8,"flow_max":709350,"flow_stddev":171222.4,"c_to_s_min":276,"c_to_s_avg":187904.6,"c_to_s_max":708056,"c_to_s_stddev":160380.9,"s_to_c_min":4,"s_to_c_avg":212209.2,"s_to_c_max":709350,"s_to_c_stddev":181963.6},"pktlen": {"c_to_s_min":66,"c_to_s_avg":134.9,"c_to_s_max":267,"c_to_s_stddev":77.7,"s_to_c_min":66,"s_to_c_avg":96.2,"s_to_c_max":144,"s_to_c_stddev":16.2}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":142,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582230787552,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0jEsAAO8GKLkRrUJmwKgCBAG7wDR81DyUjK+GQIASH\/6qEgAAAgQFoAEDAwQBAQQC"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1432582230854807,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432582230854807,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoLotAAEAG9YXAqAIEEa1CZsA0AbuMr4ZAfNQ8lVAQQADKywAA"} 01198{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":146,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230862990,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230862990,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":148,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230862990,"flow_dst_last_pkt_time":1432582231003264,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1432582231003264,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} -01503{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":177,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582231572130,"flow_dst_last_pkt_time":1432582231504448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5225,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582231572130,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":56690.7,"flow_max":246332,"flow_stddev":87636.8,"c_to_s_min":20,"c_to_s_avg":56348.6,"c_to_s_max":241033,"c_to_s_stddev":87661.1,"s_to_c_min":15,"s_to_c_avg":57078.3,"s_to_c_max":246332,"s_to_c_stddev":87607.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":362.8,"c_to_s_max":1494,"c_to_s_stddev":464.1,"s_to_c_min":54,"s_to_c_avg":235.9,"s_to_c_max":1002,"s_to_c_stddev":321.5}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} +01503{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":177,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582231572130,"flow_dst_last_pkt_time":1432582231504448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5225,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582231572130,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":15,"flow_avg":57420.4,"flow_max":246332,"flow_stddev":88943.3,"c_to_s_min":20,"c_to_s_avg":57741.1,"c_to_s_max":241033,"c_to_s_stddev":90176.5,"s_to_c_min":15,"s_to_c_avg":57078.3,"s_to_c_max":246332,"s_to_c_stddev":87607.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":362.8,"c_to_s_max":1494,"c_to_s_stddev":464.1,"s_to_c_min":54,"s_to_c_avg":235.9,"s_to_c_max":1002,"s_to_c_stddev":321.5}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":183,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582233314493,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233314493,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582233314493,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"93.186.135.8","src_port":49192,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233314493,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582233314493,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA0kh5AAEAGATfAqAIEXbqHCMAoAFBgmxszxhyTY4ARIABAdgAAAQEICi36RbdjLQIx"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233380398,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582233380398,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0ewoAADkGX0tduocIwKgCBABQwCjGHJNjYJsbNIAQAebnbwAAAQEICmMteVEt+kW3"} @@ -178,7 +178,7 @@ 00915{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1432582258825375,"flow_dst_last_pkt_time":1432582258815685,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1432582258825375,"pkt":"xiwDYGpkAPS5Jrv0CABFwAFIgM0AAEARKS3AqAIEW\/2wQck+JIABNDV+gPhBLgAAPABUWSgkrOczzTmmNaWeHGyeFn5K8vlkangPxwACY7IwMpCpL5qUBEDYknjmXwiwt1Sg\/GoDEpuWps7K3BPScguv1CoIPKC+VL4kk69VBQy2eU1f6p0OhYSXKAcM\/9HmK5KZeJJnhjzxZ+J\/AtWZs+X8uDaujdvMYKyUONaU\/07PQLiEd81h3NGLNxCpTNYPkmMGXMy1y+UaiUzN89zB2\/RkHbLVqN6e+nvnnRR2frMRlVsFWAJQmXtD929e1+a2u\/RdJfu15HCbSLl3jTXDbl84mpeVYYxkc3LSpxB7HrCYZEpYcCniVsfACmA6zpHVbv1BlaoQu+KuUWJT2eQ73+Vh12sP5aPix21kFcGvLfE3UalmxPkTCEhiCOUQRQbTvOcEo103"} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1432582259254832,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582259254832,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIbNAAAEAR7efAqAIEAcJav8k+65gANKlVAAEAGCESpEKmTTdqxAPLVFlkZFwACAAUe9SyVdo3\/CPkaMOU00d3jUs\/Tzg="} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":362,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_src_last_pkt_time":1432582259886962,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582259886962,"pkt":"xiwDYGpkAPS5Jrv0CABFwABI77MAAEARawTAqAIEAcJav8k+65gANKqSAAEAGCESpEK30Ms3\/7rzJdDOeSQACAAUjiMqFpbreAaLOXedI1Eon++y9eE="} -01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":378,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582260754649,"flow_dst_last_pkt_time":1432582260775626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":309,"flow_dst_max_l4_payload_len":289,"flow_src_tot_l4_payload_len":3471,"flow_dst_tot_l4_payload_len":2001,"midstream":0,"thread_ts_usec":1432582260775626,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":44,"flow_avg":129264.0,"flow_max":352421,"flow_stddev":70031.5,"c_to_s_min":61,"c_to_s_avg":122998.5,"c_to_s_max":188593,"c_to_s_stddev":55712.6,"s_to_c_min":44,"s_to_c_avg":136364.9,"s_to_c_max":352421,"s_to_c_stddev":82765.2},"pktlen": {"c_to_s_min":68,"c_to_s_avg":246.2,"c_to_s_max":351,"c_to_s_stddev":97.7,"s_to_c_min":64,"s_to_c_avg":175.4,"s_to_c_max":331,"s_to_c_stddev":85.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":378,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582260754649,"flow_dst_last_pkt_time":1432582260775626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":309,"flow_dst_max_l4_payload_len":289,"flow_src_tot_l4_payload_len":3471,"flow_dst_tot_l4_payload_len":2001,"midstream":0,"thread_ts_usec":1432582260775626,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":44,"flow_avg":131289.3,"flow_max":352421,"flow_stddev":70223.6,"c_to_s_min":61,"c_to_s_avg":126531.0,"c_to_s_max":188593,"c_to_s_stddev":55549.6,"s_to_c_min":44,"s_to_c_avg":136364.9,"s_to_c_max":352421,"s_to_c_stddev":82765.2},"pktlen": {"c_to_s_min":68,"c_to_s_avg":246.2,"c_to_s_max":351,"c_to_s_stddev":97.7,"s_to_c_min":64,"s_to_c_avg":175.4,"s_to_c_max":331,"s_to_c_stddev":85.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00737{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582267983119,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1432582267983119,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA44FwAAEABy33AqAIEW\/2wQQMDDx4AAAAARQAANHIMAAAvEUrCW\/2wQcCoAgQkgMk+ACAAAA=="} 00862{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582267983119,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.105516}} @@ -261,7 +261,7 @@ 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":965,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1432582303607918,"flow_dst_last_pkt_time":1432582303604793,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582303607918,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIbOUAAEARPhXAqAIEW\/2wQc46JcEANIk8AQEAGCESpEIU61RZ3ZsVVlL2qyQACAAU6CFWVCyx0lHi4kItE160ER18SxI="} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":972,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1432582303831637,"flow_dst_last_pkt_time":1432582303186638,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582303831637,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIdWcAAEAR5VDAqAIEAcJav846yg8ANHIiAAEAGCESpEJT9nMzid0wAn5OIFYACAAUj7UY3ZixJKF1uir6vHE5QBib28w="} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":985,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":3,"flow_src_last_pkt_time":1432582304464260,"flow_dst_last_pkt_time":1432582303186638,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582304464260,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIRQUAAEARFbPAqAIEAcJav846yg8ANIW7AAEAGCESpEIZoNpuKgJFUxs+kVcACAAURUHG5kUyySWGpYslvS2cuO+ddv8="} -01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":999,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432582303300524,"flow_src_last_pkt_time":1432582305119064,"flow_dst_last_pkt_time":1432582305008654,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":1888,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1432582305119064,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":52794,"dst_port":9665,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":40,"flow_avg":113758.2,"flow_max":307394,"flow_stddev":84658.4,"c_to_s_min":73,"c_to_s_avg":120758.2,"c_to_s_max":307394,"c_to_s_stddev":86872.2,"s_to_c_min":40,"s_to_c_avg":106758.1,"s_to_c_max":304269,"s_to_c_stddev":81788.2},"pktlen": {"c_to_s_min":68,"c_to_s_avg":160.0,"c_to_s_max":320,"c_to_s_stddev":63.0,"s_to_c_min":68,"s_to_c_avg":149.9,"s_to_c_max":242,"s_to_c_stddev":53.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +01496{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":999,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432582303300524,"flow_src_last_pkt_time":1432582305119064,"flow_dst_last_pkt_time":1432582305008654,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":1888,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1432582305119064,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":52794,"dst_port":9665,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":40,"flow_avg":113763.5,"flow_max":307394,"flow_stddev":86013.0,"c_to_s_min":73,"c_to_s_avg":121236.0,"c_to_s_max":307394,"c_to_s_stddev":89700.9,"s_to_c_min":40,"s_to_c_avg":106758.1,"s_to_c_max":304269,"s_to_c_stddev":81788.2},"pktlen": {"c_to_s_min":68,"c_to_s_avg":160.0,"c_to_s_max":320,"c_to_s_stddev":63.0,"s_to_c_min":68,"s_to_c_avg":149.9,"s_to_c_max":242,"s_to_c_stddev":53.7}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01191{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1022,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1432582306376756,"flow_dst_last_pkt_time":1432582246280217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1432582306376756,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAIS5VYAAEARDTTAqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} 00575{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1197,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_src_last_pkt_time":1432582324191957,"flow_dst_last_pkt_time":1432582247125660,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582324191957,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAABIJmQAAEARzfDAqAIBwKgC\/+EV4RUANKgAU3BvdFVkcDCYJeGQmjjiDQABAARIlcID1NylhjSgAeWF26p2NNVFJFGe2SE="} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1198,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":56,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582331561251,"flow_src_last_pkt_time":1432582331561251,"flow_dst_last_pkt_time":1432582331561251,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582331561251,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.167.142.39","src_port":49197,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -274,7 +274,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1219,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_src_last_pkt_time":1432582355478348,"flow_dst_last_pkt_time":1432582355393148,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432582355478348,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoTu9AAEAG1SHAqAIEEa1CZsA1Abt+ckUkpMYmoFAQQAAIJwAA"} 01199{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1220,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582355482566,"flow_dst_last_pkt_time":1432582355393148,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582355482566,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01242{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1222,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582355482566,"flow_dst_last_pkt_time":1432582355622106,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1432582355622106,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} -01507{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":80911.7,"flow_max":800043,"flow_stddev":157680.5,"c_to_s_min":52,"c_to_s_avg":102490.6,"c_to_s_max":800043,"c_to_s_stddev":198151.7,"s_to_c_min":11,"s_to_c_avg":56455.6,"s_to_c_max":228888,"s_to_c_stddev":86117.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":362.7,"c_to_s_max":1494,"c_to_s_stddev":464.1,"s_to_c_min":54,"s_to_c_avg":235.9,"s_to_c_max":1002,"s_to_c_stddev":321.5}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} +01504{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":11,"flow_avg":57713.9,"flow_max":271808,"flow_stddev":91895.6,"c_to_s_min":52,"c_to_s_avg":58893.6,"c_to_s_max":271808,"c_to_s_stddev":96985.6,"s_to_c_min":11,"s_to_c_avg":56455.6,"s_to_c_max":228888,"s_to_c_stddev":86117.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":362.7,"c_to_s_max":1494,"c_to_s_stddev":464.1,"s_to_c_min":54,"s_to_c_avg":235.9,"s_to_c_max":1002,"s_to_c_stddev":321.5}},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224235628,"flow_src_last_pkt_time":1432582224264733,"flow_dst_last_pkt_time":1432582224263291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"5.178.42.26","src_port":49174,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00763{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224235628,"flow_src_last_pkt_time":1432582224264733,"flow_dst_last_pkt_time":1432582224263291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"5.178.42.26","src_port":49174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00899{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224210874,"flow_src_last_pkt_time":1432582224240462,"flow_dst_last_pkt_time":1432582224238952,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"93.186.135.82","src_port":49173,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} diff --git a/test/results/whatsapp_login_chat.pcap.out b/test/results/whatsapp_login_chat.pcap.out index e3d75aa46..350404adf 100644 --- a/test/results/whatsapp_login_chat.pcap.out +++ b/test/results/whatsapp_login_chat.pcap.out @@ -18,7 +18,7 @@ 01165{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1432582381179706,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":531,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":531,"pkt_l4_len":497,"thread_ts_usec":1432582381179706,"pkt":"xiwDYGpkAPS5Jrv0CABFAAIFAqxAAEAGH4jAqAIEEa1CZsA1Abt+cl8spMYxPVAYQAAK4wAA+zXxkGmxqmlJcwlR7TpHpRtDDy9iaRt9w+hOFsERXuy8gwV22TTGXYqWLP3aSg0FRpPNh6b2JxTA9OSkJEk04NCfWqJRauLthWRuA7XoVn8i6Smk+coAOa3u15Yq91KVTfK0Likn42RkhoMCTU67u6i6Y4GW7d7uWiM6L3uLokbbGTmGs29u3afEGnNWZwLcuyp6rGxmPmWxvxgkiNCzEIsj5+jDbrTqLXDyyF322ZG7ztnAr92I1EUwbaElkdT9P28rYnazLdDX3NtrMNZoVpJg+JtJ\/7kZqQ2Wqzmg\/a3xXi4EVY3r6CTewAoUnubR3Qb8d8SxZWO8dXB980UXO8ObJWaEL5I20Sp30w7kYXi8hv4VgTLwR\/5GH+diyQKZuXNNplXdUL9qR0BnzfYHcTgjG28TOg74dTk611xDBeVR4Itg6rhO4EXCbpfiRmK6bb3CXGkaTCMHxUnezI+xc2Wog+XxCXrGyOiN2uGEyOBaMLxsAdU\/WfMK5Hg2kk6QV97kZZAhmz0GEeQIuwbiHtXsFgOmiLHGkBFU3uvrL2U0AIsy\/dg28ProYM\/UVKotXUmjaEkwo4XPHqyzoqhSMSd8fGbpRTWD+Jj7SG1OLSQLZ6OzyLhulPpesWWw"} 00876{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582381179706,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":477,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1917,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582381179706,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01281{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1432582381179774,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":610,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":610,"pkt_l4_len":576,"thread_ts_usec":1432582381179774,"pkt":"xiwDYGpkAPS5Jrv0CABFAAJULUhAAEAG9JzAqAIEEa1CZsA1Abt+cmEJpMYxPVAYQAAkaQAAFwMDAifRP6n1iN3uB\/Uhy6B3MN22nTeVXJRqDhAyLGWagzjVPV67eGMiWlDpxIYk9ZRXb8ENyJMklAVg5qQxAfredM796d1woE5CM\/dDlnC9hhfBLqlOMT0Sc23vnR6S0CtE+vcI2IEc50YYFIr8cCuBcLPUtehQ+6FiIBzPUNdC8gBpCK0l8ehCaB6UsJ+9Lz+rqI7LymD80O7JD9GQGlEzf0ROrOYPwKN9oloslBYMUuNcVtuTSnZlQf6clnYgiVqjkPEIWZnj1\/SzJxC0XzXDZTCazzjZUphrvHsUFVKI\/iQfQLn2Pm20z\/bY+umTrESbc\/Rb\/jTAxKkWPlTguW5QNPTgHe+8CLbu8GlNIUhp6XnzV0lotZMlMuaBJakvd6GmWA8qWeiSGeNI8Nxabsp54T+pQf+cFTWMVSzn894mO+DZZ3gtq32z87kDjYiMhE2jHBbOrnjFvxmtQtZu7lyboSLDYh55cOzJECLrbK8MSRuDtHOP5G6iepYtPwv3WMGLCV+hTD9hULIUKlQnW8NxmNPf6x7m2WXh+T5KFO1k2GNZTSM8sWZLLJiGPB3r5p1nS3ObF9UaRS1rU\/+0JK5FT6PVQl\/T6rcJ66cGodbOS0a03YtqhfdlphEfqQSNy4IBPyE7+TYhqlI5kH8vw+oFYBVtxUinzFEEO03Tz6ey1LN8P\/4vb9rv1pyNfFxaNarK\/6\/1noAhKaU7nGWU\/L6Er+GI\/BOXYTn7Ng=="} -01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582384764367,"flow_dst_last_pkt_time":1432582384691063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":11339,"flow_dst_tot_l4_payload_len":3880,"midstream":1,"thread_ts_usec":1432582384764367,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":223172.2,"flow_max":3030585,"flow_stddev":700693.6,"c_to_s_min":58,"c_to_s_avg":213520.4,"c_to_s_max":2803227,"c_to_s_stddev":653647.2,"s_to_c_min":3,"s_to_c_avg":234110.9,"s_to_c_max":3030585,"s_to_c_stddev":750305.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":721.0,"c_to_s_max":1494,"c_to_s_stddev":554.8,"s_to_c_min":54,"s_to_c_avg":312.7,"s_to_c_max":1002,"s_to_c_stddev":369.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01356{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582384764367,"flow_dst_last_pkt_time":1432582384691063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":11339,"flow_dst_tot_l4_payload_len":3880,"midstream":1,"thread_ts_usec":1432582384764367,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":228923.6,"flow_max":3030585,"flow_stddev":711161.6,"c_to_s_min":58,"c_to_s_avg":224060.5,"c_to_s_max":2803227,"c_to_s_stddev":672361.1,"s_to_c_min":3,"s_to_c_avg":234110.9,"s_to_c_max":3030585,"s_to_c_stddev":750305.9},"pktlen": {"c_to_s_min":54,"c_to_s_avg":721.0,"c_to_s_max":1494,"c_to_s_stddev":554.8,"s_to_c_min":54,"s_to_c_avg":312.7,"s_to_c_max":1002,"s_to_c_stddev":369.5}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582396509617,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":502,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582396509617,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01188{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1432582396509617,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAISQPEAAEARsZnAqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} 00879{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582396509617,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":502,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582396509617,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} diff --git a/test/results/whatsapp_voice_and_message.pcap.out b/test/results/whatsapp_voice_and_message.pcap.out index 581272026..610832d87 100644 --- a/test/results/whatsapp_voice_and_message.pcap.out +++ b/test/results/whatsapp_voice_and_message.pcap.out @@ -45,7 +45,7 @@ 00980{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820571488232,"flow_src_last_pkt_time":1432820571488232,"flow_dst_last_pkt_time":1432820571488232,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":126,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820571488232,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.73.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_udp_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1432820571488232,"flow_dst_last_pkt_time":1432820571716839,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432820571716839,"pkt":"ABoRAAACABoRAAABCABFAABIABxAABAR+EMfDUkwCggAAQ2W0XQANGvUAQMAGCESpEIAAOlKSWdSWOu7U1cAIAAIAAGOsJ6wzx5AAgAIAAABTZrC3xA="} 00683{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1432820571716900,"flow_dst_last_pkt_time":1432820571716839,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":168,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":168,"pkt_l4_len":134,"thread_ts_usec":1432820571716900,"pkt":"ABoRAAACABoRAAABCABFwACaAABAAEARx00KCAABHw1JMNF0DZYAhta5AAMAaiESpEIAAOlKSWdSWOu7U1dAAABmAQCy86Qxc0\/TrfZVVa\/eTEZDohPoeRLoRZc1aFVhrGc1f8RW2vMjT5P8rAsiwZ+p9NloXItIT0xPBspixBWhh83rOo673FqXfKhsmqCbgcYysEXxS1G0BQlmTNaw3EzKh7wFRa3N"} -01379{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":64,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432820558921094,"flow_src_last_pkt_time":1432820571925000,"flow_dst_last_pkt_time":1432820571924969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":415,"flow_src_tot_l4_payload_len":984,"flow_dst_tot_l4_payload_len":706,"midstream":0,"thread_ts_usec":1432820571925000,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"184.173.179.46","src_port":35480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":61,"flow_avg":72347304.0,"flow_max":2289106038,"flow_stddev":398149824.0,"c_to_s_min":61,"c_to_s_avg":135418240.0,"c_to_s_max":2289106038,"c_to_s_stddev":538427648.0,"s_to_c_min":153,"s_to_c_avg":866925.0,"s_to_c_max":10748901,"s_to_c_stddev":2644560.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":113.1,"c_to_s_max":410,"c_to_s_stddev":87.1,"s_to_c_min":54,"s_to_c_avg":101.1,"s_to_c_max":469,"s_to_c_stddev":107.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01366{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":64,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432820558921094,"flow_src_last_pkt_time":1432820571925000,"flow_dst_last_pkt_time":1432820571924969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":415,"flow_src_tot_l4_payload_len":984,"flow_dst_tot_l4_payload_len":706,"midstream":0,"thread_ts_usec":1432820571925000,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"184.173.179.46","src_port":35480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":61,"flow_avg":838960.6,"flow_max":10748901,"flow_stddev":2599895.5,"c_to_s_min":61,"c_to_s_avg":812744.1,"c_to_s_max":10696747,"c_to_s_stddev":2557036.2,"s_to_c_min":153,"s_to_c_avg":866925.0,"s_to_c_max":10748901,"s_to_c_stddev":2644560.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":113.1,"c_to_s_max":410,"c_to_s_stddev":87.1,"s_to_c_min":54,"s_to_c_avg":101.1,"s_to_c_max":469,"s_to_c_stddev":107.9}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820624900403,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820624900403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820624900403,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.42","src_port":44819,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820624900403,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1432820624900403,"pkt":"ABoRAAACABoRAAABCABFAAA85gNAAEAGcjAKCAABnlU6Kq8TFGbeopMoAAAAAKACOQiB\/gAAAgQFtAQCCAoABHUrAAAAAAEDAwQ="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820625066907,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820625066907,"pkt":"ABoRAAACABoRAAABCABFAAAoACpAABAGiB6eVToqCggAARRmrxMhXWzX3qKTKVAS\/\/8J0AAA"} @@ -56,13 +56,13 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1432820633802533,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820633803845,"pkt":"ABoRAAACABoRAAABCABFAAAoADlAABAG1BCtwN69CggAARRmpQHPUwduMKz4klAS\/\/9f4wAA"} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1432820633804974,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820633804974,"pkt":"ABoRAAACABoRAAABCABFAAAogDhAAEAGJBEKCAABrcDevaUBFGYwrPiSz1MHb1AQOQgm3AAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820633834790,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820633834790,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":152,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820634797314,"flow_dst_last_pkt_time":1432820634796460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":505,"flow_src_tot_l4_payload_len":707,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":122,"flow_avg":71348.2,"flow_max":457947,"flow_stddev":109797.6,"c_to_s_min":214,"c_to_s_avg":85947.7,"c_to_s_max":457947,"c_to_s_stddev":123789.3,"s_to_c_min":122,"s_to_c_avg":58466.3,"s_to_c_max":401459,"s_to_c_stddev":93902.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":102.5,"c_to_s_max":299,"c_to_s_stddev":68.4,"s_to_c_min":54,"s_to_c_avg":101.9,"s_to_c_max":559,"s_to_c_stddev":121.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01359{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":152,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820634797314,"flow_dst_last_pkt_time":1432820634796460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":505,"flow_src_tot_l4_payload_len":707,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":122,"flow_avg":64151.9,"flow_max":457947,"flow_stddev":103861.5,"c_to_s_min":214,"c_to_s_avg":71055.8,"c_to_s_max":457947,"c_to_s_stddev":114419.5,"s_to_c_min":122,"s_to_c_avg":58466.3,"s_to_c_max":401459,"s_to_c_stddev":93902.7},"pktlen": {"c_to_s_min":54,"c_to_s_avg":102.5,"c_to_s_max":299,"c_to_s_stddev":68.4,"s_to_c_min":54,"s_to_c_avg":101.9,"s_to_c_max":559,"s_to_c_stddev":121.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":183,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820681899121,"flow_dst_last_pkt_time":1432820681899121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820681899121,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1432820681899121,"flow_dst_last_pkt_time":1432820681899121,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1432820681899121,"pkt":"ABoRAAACABoRAAABCABFAAA8YBFAAEAG998KCAABnlU6bcI5FGZRO+t+AAAAAKACOQiNYgAAAgQFtAQCCAoABItvAAAAAAEDAwQ="} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1432820681899121,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820681901135,"pkt":"ABoRAAACABoRAAABCABFAAAoAFlAABAGh6yeVTptCggAARRmwjmuxBSBUTvrf1AS\/\/\/2ZgAA"} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":185,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1432820681901684,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820681901684,"pkt":"ABoRAAACABoRAAABCABFAAAoYBJAAEAG9\/IKCAABnlU6bcI5FGZRO+t\/rsQUglAQOQi9XwAA"} 00882{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":186,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820681935773,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820681935773,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":214,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820685106122,"flow_dst_last_pkt_time":1432820683287396,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":254,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":751,"midstream":0,"thread_ts_usec":1432820685106122,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":91,"flow_avg":152169.2,"flow_max":1768433,"flow_stddev":312163.5,"c_to_s_min":122,"c_to_s_avg":217571.2,"c_to_s_max":1768433,"c_to_s_stddev":418885.9,"s_to_c_min":91,"s_to_c_avg":86767.2,"s_to_c_max":390289,"s_to_c_stddev":104268.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":97.2,"c_to_s_max":299,"c_to_s_stddev":68.0,"s_to_c_min":54,"s_to_c_avg":100.9,"s_to_c_max":308,"s_to_c_stddev":72.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":214,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820685106122,"flow_dst_last_pkt_time":1432820683287396,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":254,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":751,"midstream":0,"thread_ts_usec":1432820685106122,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":91,"flow_avg":148234.7,"flow_max":1768433,"flow_stddev":316376.5,"c_to_s_min":122,"c_to_s_avg":213800.1,"c_to_s_max":1768433,"c_to_s_stddev":432360.4,"s_to_c_min":91,"s_to_c_avg":86767.2,"s_to_c_max":390289,"s_to_c_stddev":104268.5},"pktlen": {"c_to_s_min":54,"c_to_s_avg":97.2,"c_to_s_max":299,"c_to_s_stddev":68.0,"s_to_c_min":54,"s_to_c_avg":100.9,"s_to_c_max":308,"s_to_c_stddev":72.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":235,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820693796979,"flow_src_last_pkt_time":1432820693796979,"flow_dst_last_pkt_time":1432820693796979,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820693796979,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.5.199","src_port":51570,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":235,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_src_last_pkt_time":1432820693796979,"flow_dst_last_pkt_time":1432820693796979,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1432820693796979,"pkt":"ABoRAAACABoRAAABCABFAAA8Y3lAAEAGKR4KCAABnlUFx8lyAbsu9\/NsAAAAAKACOQjjKgAAAgQFtAQCCAoABJAVAAAAAAEDAwQ="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":236,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1432820693796979,"flow_dst_last_pkt_time":1432820693846142,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820693846142,"pkt":"ABoRAAACABoRAAABCABFAAAoAHNAABAGvDieVQXHCggAAQG7yXLRCAyTLvfzbVAS\/\/82fwAA"} @@ -95,5 +95,5 @@ ~~ total allocations/frees...: 121822/121822 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars -~~ json string max len.......: 1384 chars -~~ json string avg len.......: 939 chars +~~ json string max len.......: 1371 chars +~~ json string avg len.......: 933 chars diff --git a/test/results/whatsappfiles.pcap.out b/test/results/whatsappfiles.pcap.out index 02893b748..b2f4c06f5 100644 --- a/test/results/whatsappfiles.pcap.out +++ b/test/results/whatsappfiles.pcap.out @@ -7,14 +7,14 @@ 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083501147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924083506116,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083598208,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":1398,"midstream":0,"thread_ts_usec":1519924083598208,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01661{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083599471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":3208,"midstream":0,"thread_ts_usec":1519924083599471,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","server_names":"*.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.whatsapp.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB"}}} -01504{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924108832377,"flow_dst_last_pkt_time":1519924084217928,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":5152,"flow_dst_tot_l4_payload_len":3695,"midstream":0,"thread_ts_usec":1519924108832377,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":121970664.0,"flow_max":3876833251,"flow_stddev":674406784.0,"c_to_s_min":4,"c_to_s_avg":195112720.0,"c_to_s_max":3876833251,"c_to_s_stddev":844661568.0,"s_to_c_min":6,"s_to_c_avg":67228.4,"s_to_c_max":460945,"s_to_c_stddev":125969.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":324.2,"c_to_s_max":1464,"c_to_s_stddev":484.6,"s_to_c_min":66,"s_to_c_avg":374.6,"s_to_c_max":1464,"s_to_c_stddev":501.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} +01491{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924108832377,"flow_dst_last_pkt_time":1519924084217928,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":5152,"flow_dst_tot_l4_payload_len":3695,"midstream":0,"thread_ts_usec":1519924108832377,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":846062.3,"flow_max":24639770,"flow_stddev":4345174.0,"c_to_s_min":4,"c_to_s_avg":1337957.4,"c_to_s_max":24639770,"c_to_s_stddev":5492722.5,"s_to_c_min":6,"s_to_c_avg":67228.4,"s_to_c_max":460945,"s_to_c_stddev":125969.5},"pktlen": {"c_to_s_min":66,"c_to_s_avg":324.2,"c_to_s_max":1464,"c_to_s_stddev":484.6,"s_to_c_min":66,"s_to_c_avg":374.6,"s_to_c_max":1464,"s_to_c_stddev":501.9}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240121220,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924240121220,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240121220,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1519924240121220,"pkt":"XEl5dU5qkLkxKPrKCABFAABAAABAAEAG5oDAqAIduTzYNcIiAbuCj0EnAAAAALDC\/\/+6MAAAAgQFtAEDAwYBAQgKKOd3WAAAAAAEAgAA"} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":312,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1519924240177946,"pkt":"kLkxKPrKXEl5dU5qCABFAAA8AABAAFUG0YS5PNg1wKgCHQG7wiLPr2ypgo9BKKASbTgw1AAAAgQFggQCCAq3hjooKOd3WAEDAwg="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":313,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1519924240182174,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1519924240182174,"pkt":"XEl5dU5qkLkxKPrKCABFAAA0AABAAEAG5ozAqAIduTzYNcIiAbuCj0Eoz69sqoAQCAXEZQAAAQEICijnd5W3hjoo"} 01112{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":314,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240183173,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924240183173,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"4e1a414c4f4c99097edd2a9a98e336c8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":316,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240183173,"flow_dst_last_pkt_time":1519924240244034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":146,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1519924240244034,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"4e1a414c4f4c99097edd2a9a98e336c8","ja3s":"96681175a9547081bf3d417f1a572091","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} -01372{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240317078,"flow_dst_last_pkt_time":1519924240518900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":12875,"midstream":0,"thread_ts_usec":1519924240518900,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":1477704.5,"flow_max":46693007,"flow_stddev":8120965.0,"c_to_s_min":4,"c_to_s_avg":3606835.8,"c_to_s_max":46693007,"c_to_s_stddev":12437929.0,"s_to_c_min":6,"s_to_c_avg":20930.5,"s_to_c_max":107518,"s_to_c_stddev":33976.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":141.9,"c_to_s_max":583,"c_to_s_stddev":139.7,"s_to_c_min":66,"s_to_c_avg":744.1,"s_to_c_max":1464,"s_to_c_stddev":666.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} +01358{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240317078,"flow_dst_last_pkt_time":1519924240518900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":12875,"midstream":0,"thread_ts_usec":1519924240518900,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":4,"flow_avg":19146.4,"flow_max":107518,"flow_stddev":30886.0,"c_to_s_min":4,"c_to_s_avg":16321.5,"c_to_s_max":64953,"c_to_s_stddev":24971.6,"s_to_c_min":6,"s_to_c_avg":20930.5,"s_to_c_max":107518,"s_to_c_stddev":33976.1},"pktlen": {"c_to_s_min":66,"c_to_s_avg":141.9,"c_to_s_max":583,"c_to_s_stddev":139.7,"s_to_c_min":66,"s_to_c_avg":744.1,"s_to_c_max":1464,"s_to_c_stddev":666.4}},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 01058{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":161,"flow_dst_packets_processed":149,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924193366820,"flow_dst_last_pkt_time":1519924193429446,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":178544,"flow_dst_tot_l4_payload_len":4980,"midstream":0,"thread_ts_usec":1519924247388841,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00939{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":132,"flow_dst_packets_processed":178,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924247388841,"flow_dst_last_pkt_time":1519924247384385,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":1170,"flow_dst_tot_l4_payload_len":225649,"midstream":0,"thread_ts_usec":1519924247388841,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","packets-captured":620,"packets-processed":620,"total-skipped-flows":0,"total-l4-payload-len":410343,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1519924247388841} diff --git a/test/results/wireguard.pcap.out b/test/results/wireguard.pcap.out index 224a72be6..725ec7e53 100644 --- a/test/results/wireguard.pcap.out +++ b/test/results/wireguard.pcap.out @@ -5,7 +5,7 @@ 00688{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554628757,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1563973554628780,"pkt":"OCxKuzMdABAY3q0FCABFAACsFXoAADURYtGLosCdwKgADspsjRQAmIUlBAAAAL5AaY1sAAAAAAAAAApaAsrtXpH1hJEWMIaMon2Jp07DYKtFnos9KJ2dxNXsnPOlMw8teGIqqtQyAhfCvZKfSoj8FKmPC1PCtu8qqniK567s\/wF6cALr5IJXHXdFnmr1I94kKjzDU62XCT24xGedWrUZRek84+e2Fsx1lJJ6NR9cFgw9VnO9J77GX8hL"} 00624{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554628915,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1563973554628915,"pkt":"ABAY3q0FOCxKuzMdCABFAAB8LYcAAEARP\/TAqAAOi6LAnY0UymwAaNyeBAAAAG2mYV5wAAAAAAAAAAo35XrmOHswcilnP2QelKUcrUyMt+9zQAFDeYSUJyyw9BNkc7uq5jhjxm51P1MBuT08PEWRrzriFSk+BrqayZkHU3Oi+bUZJb76bMmarQhF"} 00874{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554642219,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":944,"flow_dst_tot_l4_payload_len":368,"midstream":0,"thread_ts_usec":1563973554642219,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01373{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973564026392,"flow_dst_last_pkt_time":1563973564026499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":4816,"flow_dst_tot_l4_payload_len":2160,"midstream":0,"thread_ts_usec":1563973564026499,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":130695576.0,"flow_max":4163463045,"flow_stddev":724307904.0,"c_to_s_min":23,"c_to_s_avg":219624240.0,"c_to_s_max":4163463045,"c_to_s_stddev":929572736.0,"s_to_c_min":158,"s_to_c_avg":722903.2,"s_to_c_max":5525882,"s_to_c_stddev":1602794.9},"pktlen": {"c_to_s_min":138,"c_to_s_avg":295.5,"c_to_s_max":842,"c_to_s_stddev":218.5,"s_to_c_min":138,"s_to_c_avg":208.2,"s_to_c_max":314,"s_to_c_stddev":79.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01357{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973564026392,"flow_dst_last_pkt_time":1563973564026499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":4816,"flow_dst_tot_l4_payload_len":2160,"midstream":0,"thread_ts_usec":1563973564026499,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":23,"flow_avg":606302.4,"flow_max":5525882,"flow_stddev":1489465.9,"c_to_s_min":23,"c_to_s_avg":522090.8,"c_to_s_max":5525873,"c_to_s_stddev":1395886.9,"s_to_c_min":158,"s_to_c_avg":722903.2,"s_to_c_max":5525882,"s_to_c_stddev":1602794.9},"pktlen": {"c_to_s_min":138,"c_to_s_avg":295.5,"c_to_s_max":842,"c_to_s_stddev":218.5,"s_to_c_min":138,"s_to_c_avg":208.2,"s_to_c_max":314,"s_to_c_stddev":79.8}},"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1654,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":949,"flow_dst_packets_processed":704,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973742644251,"flow_dst_last_pkt_time":1563973742495194,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":356036,"flow_dst_tot_l4_payload_len":108870,"midstream":0,"thread_ts_usec":1563973742644251,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00931{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2391,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1358,"flow_dst_packets_processed":1032,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973930443496,"flow_dst_last_pkt_time":1563973930443700,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":460922,"flow_dst_tot_l4_payload_len":171590,"midstream":0,"thread_ts_usec":1563973930443700,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00929{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2399,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1362,"flow_dst_packets_processed":1037,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973935842428,"flow_dst_last_pkt_time":1563973935624796,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":461322,"flow_dst_tot_l4_payload_len":172102,"midstream":0,"thread_ts_usec":1563973935842428,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} diff --git a/test/results/youtube_quic.pcap.out b/test/results/youtube_quic.pcap.out index 9439ff0ab..a43ab2e05 100644 --- a/test/results/youtube_quic.pcap.out +++ b/test/results/youtube_quic.pcap.out @@ -10,7 +10,7 @@ 00975{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823738796,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363823738796,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","quic": {"user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}}} 02318{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823782478,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363823782478,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTqYeCGI\/o1o3gkQjAfrje9Hje5P995YFE4ABUkVKAAgAAABTVEsAPAAAAFNOTwB0AAAAUFJPRroAAABTQ0ZHWQEAAFJSRUpdAQAAU1RUTGUBAABDU0NUVwIAAENSVP\/\/BQAA+LXECKXyXyaGkNvk1LnkKe2HcwZSdJKMjSZdwRtRvlgkC7wrIojsxa12VSbQ+UqytsSw5ZWrAguctbN84e+itVKKdDan60SbCn6HO8EhAZXhZCoi6zTXVPfruFP+xbK0jobs4P1ETvvj7642AaRXoyX3AiUwRAIga0VZvCZ3TBiWNQTgv6KY8y2d9RkggowYQwi1RHlUtm4CIDUxV08RC49VVgJORrtGSNh+UsyMA8+5V0kTzoS1\/6EyU0NGRwgAAABBRUFECAAAAFNDSUQYAAAAUERNRBwAAABUQktQIAAAAFBVQlNDAAAAS0VYU0cAAABPQklUTwAAAEVYUFlXAAAAQUVTR0NDMjBrdmP1GwKyBEvvwtZJjj6PQ0hJRFRCMTAgAAC7MI00KZ1MP25xAs8ApFxY\/QSpEMcZP7AIDZmbDnFGD0MyNTUwMDAwMDAwMEDbx1gAAAAADAAAAND3AQAAAAAAAPAAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVplaZe7AAAEAwBGMEQCIFrxuSR6yQfoERjhpyCo\/HC4DbnJyy5PDUNSQYvoLd7WAiA1du1k\/DfC+hSnbCFZ+CiZL\/WBsCA2tHRh+V5os9e8wAB3AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABWmVpmAsAAAQDAEgwRgIhAK1Z+StuHvhEQzbhrizA0oP28zksTi\/aWkPYynKMWI7wAiEAoZsd0Sdt7uEo3XB3wMmgRGZNny2cfedCYnG3zpLag4YBA37tgIaiFYKRAgAAAAMB6IFgkpIa6AAAAAAAKgcAAHi7gTUtv1NjZwCWXOxKBk1sXJA2HIf55ae2MzL3PkFvyFGxkQUqDMwNjIyMgPkFmJfA7TkDUyC2MDUHdaIKsVrFwcPlDEw3aflFeZmJsATJzsPrm1+aVwJKXWGZqeVwd\/EguwvUlgC5i0dcCximIGFgJilKBqbG1Dxw1BtEGgizsQO9e84W2BLhADOYGdmZnRhYMt6FvD+wnV996Zw\/hsoKnDX1AkfE3LjmrmD0Xbj\/45IfeVee\/OywebVOPSnedOpTyamR\/2zN7jmfePP5sO3s0PyvawoWN7GsN2hiWU2oLGtizgMpEGRpYk4FchKbcLm1SUZLL7GgoBiHrApEtiAfzNUrBqaYxPRUqGJgYi4Gq+LT0kvKyU+HKWsSBPILUIWUtEBUbn4eMKcm4jBGE6QGbLcuVIVuSn55Xk5+Ygq6UnVMpaUF2BQqYChEVwEMgJT80qSc1OSczORs9ADgBoZbekEG3F8QzSnAIioVLAQP1+LKvBRo5QWWEIFJlKcm5WSmQ02Q19IrTkxLzSstwBHgYAV5KUn5FTgUKGrpEQoceYQS7IEioYUrJhFa9YpTgUFSgq6AByVW+dGjWYFgJEvhCWxORFDzowe0KPbgEMISyNrFJcB4SNYrSMwDOiE3Mx9f2hXDIS6LPxz4S\/PSMnOA5VFqil5eankxUtuLvcEgA6kEjwGWQdpIZbM8tLgsyM6EGgoukd09Hd2NwIWvNlJxD1MMDC6gj4sNkXWAqgCk9qDW3+B7S2xzw150iDxJLJ4oWT2f5yFamwi5WMfaiVKENDKAtRxaz4WDjS29kQdYohsYQFpFmgbqBqoLlBco"} 02313{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823783077,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363823783077,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTtjVCGI\/o1o3gkQjAl1iY1+IPhyu0ittLaQBLgUZARLyTw62Xo9mQ7Tn55dir+alTNnl+EuTXetgrtU\/li3WZUF3t3EtPfqBg1nJrPp7bar7qdPHbjH8jwhk+pimkWuq6rVs4cviafuTL\/pWbDvkJD1zwixjdUFbM0aGipe63\/v0luly7P6xK4d1\/V35zVlHfZnq9OpLDbRdp3F95Wn77GK+6cqsr8cEfY77RjhzSh7Unhdryl2mU\/IhTPRZgsMXhZ65ayI6rm07a3GnaGsF6wp\/3rLVzcqh63smBXkUr5RrfvOpMsbbX\/13ZPXcymfXdeZ+LWmcELGYmfOd+prGpXeZdtiyB0ssnuZwNOYGp72hD8PxC2ds8mZMXnnvqd7Gb2w82Yw3Hn\/6nvVjXthRi\/UnDQF+1X0RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -01345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823844687,"flow_dst_last_pkt_time":1489363823852784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3698,"flow_dst_tot_l4_payload_len":22654,"midstream":0,"thread_ts_usec":1489363823852784,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":12638.6,"flow_max":184557,"flow_stddev":33546.6,"c_to_s_min":45,"c_to_s_avg":22342.2,"c_to_s_max":184557,"c_to_s_stddev":49321.5,"s_to_c_min":6,"s_to_c_avg":5999.4,"s_to_c_max":43682,"s_to_c_stddev":11065.5},"pktlen": {"c_to_s_min":80,"c_to_s_avg":326.5,"c_to_s_max":1392,"c_to_s_stddev":465.4,"s_to_c_min":73,"s_to_c_avg":1234.3,"s_to_c_max":1392,"s_to_c_stddev":405.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823844687,"flow_dst_last_pkt_time":1489363823852784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3698,"flow_dst_tot_l4_payload_len":22654,"midstream":0,"thread_ts_usec":1489363823852784,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":6,"flow_avg":7092.9,"flow_max":47402,"flow_stddev":13323.0,"c_to_s_min":45,"c_to_s_avg":8824.2,"c_to_s_max":47402,"c_to_s_stddev":16117.9,"s_to_c_min":6,"s_to_c_avg":5999.4,"s_to_c_max":43682,"s_to_c_stddev":11065.5},"pktlen": {"c_to_s_min":80,"c_to_s_avg":326.5,"c_to_s_max":1392,"c_to_s_stddev":465.4,"s_to_c_min":73,"s_to_c_avg":1234.3,"s_to_c_max":1392,"s_to_c_stddev":405.7}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363824401150,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363824401150,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02312{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363824401150,"pkt":"gCqojWksxCwDBkn+CABFAAVisIYAAEARAADAqAEH2DrNQtJjAbsFTmyMDXhX73QJ\/9nIUTAzNQGC9mpeAxq6QsMNjNmgAQAEQ0hMTx0AAABQQUQACAEAAFNOSQAjAQAAU1RLAF0BAABWRVIAYQEAAENDUwBxAQAATk9OQ5EBAABNU1BDlQEAAEFFQUSZAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tZ29vZ2xlYWRzLmcuZG91YmxlY2xpY2submV0gCa63gfstks25NXDBda+jRe1AwMuFIPOgLr8Vdt88WUvAddL7KVg5kyrPLEzz5PxZEMuEuhwybaZ0VEwMzUB6IFgkpIa6H7tgIaiFYKRWMXjcDAwMDAwMDAwQoHc+xZQMEvJrifGGZTcfUn5aXxkAAAAQ0MyMGJldGEgQ2hyb21lLzU3LjAuMjk4Ny45OCBJbnRlbCBNYWMgT1MgWCAxMF8xMl8za3Zj9RsCsgRL78LWSY4+jwAAAABYNTA5AAAQAAEAAAAeAAAAcOPFWAAAAACN\/AA7IChJw\/uFk6rkJtT8KHam\/zP1YJxL1R6PGerdhviM0jsqfVXK1sMGRgIfu1Gw5yjD\/\/Q\/fKW3aZLxbK0ZZAAAAAEAAABDMjU1qvorPqjeOwuq+is+qN47Cz2t9HxBefiRQAt7kKmueet+NAEAgygqfGXu0L2syT5vA8mDxoSqG087cDiVovZ6s0ywmTUWtgw5lXy+Ac4T6qWEMJOPvUqVQrabfhIiKh6bU4h\/Diu+B3D3YFOkHFOA3JEmhpJ\/3PZn9DncBSC36LdWvsJ8Uwgl2IG2lc1SfhMotW8c5gE3wCT8YVfQJL1vCNMKzgZWBrzkDiYZ7cTxYUMsLfK1F7K2mD1WVm4PU008ujahjZ6t1bAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01006{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363824401150,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363824401150,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"googleads.g.doubleclick.net","quic": {"user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}}} diff --git a/test/results/youtubeupload.pcap.out b/test/results/youtubeupload.pcap.out index 76fd710c8..eb32e54df 100644 --- a/test/results/youtubeupload.pcap.out +++ b/test/results/youtubeupload.pcap.out @@ -17,7 +17,7 @@ 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1511102578051971,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578051971,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1511102578051971,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"upload.youtube.com","quic": {"user_agent":"Chrome\/62.0.3202.94 Windows NT 10.0; Win64; x64"}}} 02318{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578108526,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1511102578108526,"pkt":"2MuK4S0uXEl5dU5qCABFAAViAABAADgRtn+s2RdvwKgCGwG78xgFTs8jCAjRAddSQpCnAZLrpBY0DjIhd5jwe0ABH5UBAQD\/\/\/\/1BgCAAVJFSgAIAAAAU1RLADgAAABTTk8AbAAAAFBST0a0AAAAU0NGR1MBAABSUkVKVwEAAFNUVExfAQAAQ1NDVFECAABDUlT\/XwkAAOdd9OCaMJjZHEuQSnBheExXijy9L8yxcLxijUGUgt7VeQLmXHCE0dSCjTwUu4DOXBlw0HTG62CtZtu2a6Ru1X+sH1IA2FJqDRpGVA5MHyMKc7vKtJZUWy6Wq\/FvJH3N94ZirXYSBfeq9Qo8ATBGAiEAppVGAzltTsobgX744i5bBeIqIDO\/YtwFhdblUPMaf9ECIQDgN5eoKUWZEY4A\/yjD3jA5j4ZdDcRSfqhMU1oZUTGdIVNDRkcIAAAAQUVBRAgAAABTQ0lEGAAAAFBETUQcAAAAVEJLUCAAAABQVUJTQwAAAEtFWFNHAAAAT0JJVE8AAABFWFBZVwAAAEFFU0dDQzIw9lqyAICUa+kwugeWBsbKvkNISURUQjEwIAAAhphHmLi5BO0Bd0EZ92vmXccblzalgzbYj90Qfoq9ozBDMjU1MDAwMDAwMDBAFRRaAAAAAAwAAADNfAIAAAAAAADwAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFfeBYhgQAABAMARjBEAiBdvW4RdrxYmmjeJbc+3jgs5l6RJLipl3aPIQhj9TtUVgIgA9hjkGDtPgI+WyeFtwtRP0uw9dCVeIWw5SDGQbdmUYsAdwDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAV94FiCrAAAEAwBIMEYCIQCUIhZCh2zhmqj0uNpoeUCnAI4TO75j9mv1oMYRKX9EbwIhAIVqH7drJ4DDuKcAhaeeCXOoj8EoQkKnHGLbzkyKPDlhAQEDAeiBYJKSGugAAAAAALsLAAB4u4FGwB+tWGtQE1cUJpBXY6I8VdDyFNEgYZOQAr7wiYpWBawlaIsJ2cBCSCJJwEgVWK3A4KNOsVAVxfdjqlClUhXRURAFClYRHasEpKBgRdBILVjtzS6ETSYz9oczmdmc777Onnvu9527WTQrwFy0TRBKTcQLKrp9dm9xz+ylJ4l0NALQ0SJTNhpMGAZIGIUiTgYb8pXrDXnhuTHeCAI35bB6mBzcF\/AwMggEG8\/l8gN4AQK8oOLyArh8PlZQSS0uRWcy5oK8kSqS5YhoKCFpTNbnCo1cbciulQicavSLSfTLCXLA\/GIy2SCmBhjbXCGAaeAd62cA1adjf2xINJs5VuSOLXMcnO6g0xtjxu1zfIrK71z\/\/lBHSmjev8J8r4IzjW36x8zZNOc0+uStj3j5jQFTCvdXObyJDvLf4usWsNFD234IpYyDUMoYbF1AYEyIMUxgprRFy4BQm1YDYkdGbe4DoxE1cRNlsTkiuSRZgUgwczQwlUpYHofIYWI3ezYnVqbQSIiYI5sjEQfx+cECvhGWo1QwPWhGR4JnLMjJFDVvaGa8k59ILpJp1UisCsNHDLsjIhoybIah1TiI3NROUJramkR0FPHFOKJkc0BjBojNewCvTYGkdWaA2nxIipzgswQmGLCKYEiTCUa8hmAgaoIhlxEMpYmhNmwBbogkgDbw4BmdwRG5YU9wALQmwaAKwbrZDaEpiARWYJAhC1RqQKaxhmEsggUaGWzDvnEJ\/3lDO54Eq5NBL2JvMBWod+IRjNRQW4MlI+YJ2HmtQqPWiGE\/uSJWoUhEjKk3iJt1gyUaXPYxnAZwNUeMxRakTVIchroY"} 02333{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578109522,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1511102578109522,"pkt":"2MuK4S0uXEl5dU5qCABFAAViAABAADgRtn+s2RdvwKgCGwG78xgFTrFpCAjRAddSQpCnArwHRDvEv6bzYWaHzaQBBSEEhrNWhsBytYq44AhiRo+TwCmwTKGEk42JPpys442NKgutZCyRqQAAtRXqaDF9GcRDYiH0Y\/Fi0MLsDELQGJhY4OvQsShgL0wMj6PF4FCw0EDxBIlYDUjOl0D+boN8rExECEHyX7Bo9gIexu6+BD0Z6jwYVS5xhEFjCAVnb9OEZ+1zI6xu60jhXe7FYiEjXGJWdBF1I+wRdfS48r74X1JeZ567KHa5EJ3pD3ngVQyQUTCSgZUFTVprCgmiU6lxmUwgGRCEl12TIR\/Iu8iryOND7yMz0xaswN6jCztbGOmK9M1HAtnb0p6qNH6hov6O7rqWzJfC2lmeHtZeU6WbjsS8u3ntcJQzOr2oWOwTXcLWes24V6eOPFWo8+TNul2fEFLQ78eM1PXs2XQnqjfDqk3auk2v6+r9pEcxm7ylpmzrihbHoOb9i7fucvoKaS0tCfOsbMqMP3nB9ezFL69FLLtTF+p+dsZl1fPc\/DBpqVvY0e9eHrAZ+VA9+k3JGb\/9upojFbdLGEEHzpW4tGy79WmG8IZ+5InTV7teNKN9mWsYUcLOpqcV59uW1kr1OramoTHz1vv11JzRr2tDd4S\/WkfbF2P7ZGza6rI\/j9Us8WXle5QG\/b6jzfNgyphjqo6oKWSDFJMnAQGwxaXYlmTl4Z1d0i88lvqCkib10ZlL8sf48IBpMSTg8YAY8\/iBmBZzeXzwEwQLgqM\/pux\/6Oa0l01OXX1\/+c6p1ENoy\/3lC8tzQnqdlS7ZoRtbdlT15tR7dEe\/E7HKePNyitQjIpd9cbgeFe\/qfiaMud5KybCv\/DovpHzVwiB95N8TOgZ2djpVNugjWfqwt\/tXNG+oKEpUZF25tdxtEmQz6wFdFS5Lfz91+rFA6vZLi+3IzzZMaO745y137UDe3TWvOGHFc27XdlUmuJypi3zktDjX7YazyO23wuMzY303CxB48w3nqlDPN5G7Ktoywmyvs\/+6kO9uVx38oy25qEe0fpf31qURmsfnntNrHN\/WeyacXdoQapOfb7Pxys\/NacXz+Q0XZq4ta9Z7e19lCXIKCwdG2mlzXAOrircnI\/g3DpRkByLCMjmYFj9jDB9zi+fW\/KMGh8A\/npA75EqgFPvB8xrHUWmTYjFShuyNNEGHqOBhDa5jAvygcyBwwyoCN6wtE0wGiocL7zg1ftXFTvv\/oJAPXPQs8EXNovaf7kkkqasq1vY36F29qncjsStini1pcp7kJZFuH1+dlSGJIedOLC7QMZTl5c4zutP4J9Iv6SmNyouUidqu3dUF52nOcEDd9M6QKlK\/grnxj\/XK1Uve+Vn11FT4bS89njFAcsiu3RvSfjG1ZmrcZ6\/q7\/pYJ88tuiS37l1AWTuTJOy02+fyavOojKMH1wn8z1UfTB\/zTWvuytPdcdnhPtCaI+KIa4F3p3V9yyYFZR1sUJ46vP5m5ZOaqgflXryX78ZeTWvRTfNvvGXb8cOSgXllHhLWeas8yH5iVlRBMCVoVB26EFSw0u7LpTGV75XHW9Nztb6\/wrxD58u4nYzXfW68h\/8B+TYP2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -01385{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580012300,"flow_dst_last_pkt_time":1511102579994904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18813,"flow_dst_tot_l4_payload_len":4860,"midstream":0,"thread_ts_usec":1511102580012300,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":80,"flow_avg":132483152.0,"flow_max":4233042472,"flow_stddev":736482368.0,"c_to_s_min":351,"c_to_s_avg":192557296.0,"c_to_s_max":4233042472,"c_to_s_stddev":881706240.0,"s_to_c_min":80,"s_to_c_avg":320048.0,"s_to_c_max":1883081,"s_to_c_stddev":611367.6},"pktlen": {"c_to_s_min":77,"c_to_s_avg":897.1,"c_to_s_max":1392,"c_to_s_stddev":601.9,"s_to_c_min":58,"s_to_c_avg":528.0,"s_to_c_max":1392,"s_to_c_stddev":587.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580012300,"flow_dst_last_pkt_time":1511102579994904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18813,"flow_dst_tot_l4_payload_len":4860,"midstream":0,"thread_ts_usec":1511102580012300,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":80,"flow_avg":207043.7,"flow_max":1883081,"flow_stddev":509890.4,"c_to_s_min":351,"c_to_s_avg":153232.2,"c_to_s_max":1825776,"c_to_s_stddev":443654.8,"s_to_c_min":80,"s_to_c_avg":320048.0,"s_to_c_max":1883081,"s_to_c_stddev":611367.6},"pktlen": {"c_to_s_min":77,"c_to_s_avg":897.1,"c_to_s_max":1392,"c_to_s_stddev":601.9,"s_to_c_min":58,"s_to_c_avg":528.0,"s_to_c_max":1392,"s_to_c_stddev":587.0}},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00772{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1511102576835328,"flow_src_last_pkt_time":1511102576954116,"flow_dst_last_pkt_time":1511102576952686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1430,"flow_src_tot_l4_payload_len":295,"flow_dst_tot_l4_payload_len":4409,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":80,"flow_dst_packets_processed":20,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580286427,"flow_dst_last_pkt_time":1511102580285015,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":97113,"flow_dst_tot_l4_payload_len":5163,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00929{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":11,"flow_first_seen":1511102578051971,"flow_src_last_pkt_time":1511102594783349,"flow_dst_last_pkt_time":1511102594936951,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":8105,"flow_dst_tot_l4_payload_len":6001,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} diff --git a/test/results/zcash.pcap.out b/test/results/zcash.pcap.out index 7326b7e23..d6823d9e8 100644 --- a/test/results/zcash.pcap.out +++ b/test/results/zcash.pcap.out @@ -5,7 +5,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1514196094240063,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1514196094322725,"pkt":"cIXCQA64fmgbW\/gUCABFAAA8AABAADMGDb6yIMTZwKgCXCNa15Yj5r0mgJ3\/OqAScSDZNwAAAgQFtAQCCArshW\/8T467sAEDAwk="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1514196094322778,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1514196094322778,"pkt":"fmgbW\/gUcIXCQA64CABFAAA0ux5AAEAGRafAqAJcsiDE2deWI1qAnf86I+a9J4AQAOV4LAAAAQEICk+Ou8XshW\/8"} 01095{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196094322947,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1514196094322947,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01598{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196187394861,"flow_dst_last_pkt_time":1514196187518495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":1724,"flow_dst_tot_l4_payload_len":1124,"midstream":0,"thread_ts_usec":1514196187518495,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":39546904.0,"flow_max":1079067695,"flow_stddev":187078752.0,"c_to_s_min":169,"c_to_s_avg":65123472.0,"c_to_s_max":1079067695,"c_to_s_stddev":246168496.0,"s_to_c_min":24,"s_to_c_avg":6662745.0,"s_to_c_max":50191373,"s_to_c_stddev":12694152.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":162.2,"c_to_s_max":326,"c_to_s_stddev":96.9,"s_to_c_min":66,"s_to_c_avg":149.4,"s_to_c_max":369,"s_to_c_stddev":101.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +01590{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196187394861,"flow_dst_last_pkt_time":1514196187518495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":1724,"flow_dst_tot_l4_payload_len":1124,"midstream":0,"thread_ts_usec":1514196187518495,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":24,"flow_avg":6013975.0,"flow_max":50191373,"flow_stddev":12033642.0,"c_to_s_min":169,"c_to_s_avg":5479694.0,"c_to_s_max":48786215,"c_to_s_stddev":11433537.0,"s_to_c_min":24,"s_to_c_avg":6662745.0,"s_to_c_max":50191373,"s_to_c_stddev":12694152.0},"pktlen": {"c_to_s_min":66,"c_to_s_avg":162.2,"c_to_s_max":326,"c_to_s_stddev":96.9,"s_to_c_min":66,"s_to_c_avg":149.4,"s_to_c_max":369,"s_to_c_stddev":101.0}},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":88,"source":"zcash.pcap","alias":"nDPId-test","packets-captured":88,"packets-processed":87,"total-skipped-flows":0,"total-l4-payload-len":6805,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1514196730496095} 01144{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":145,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":62,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514197248783309,"flow_dst_last_pkt_time":1514197248783271,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":6299,"flow_dst_tot_l4_payload_len":4723,"midstream":0,"thread_ts_usec":1514197248783309,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":145,"source":"zcash.pcap","alias":"nDPId-test","packets-captured":145,"packets-processed":145,"total-skipped-flows":0,"total-l4-payload-len":11022,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1514197248783309} @@ -22,5 +22,5 @@ ~~ total allocations/frees...: 121582/121582 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 476 chars -~~ json string max len.......: 1603 chars -~~ json string avg len.......: 1017 chars +~~ json string max len.......: 1595 chars +~~ json string avg len.......: 1013 chars diff --git a/test/results/zoom.pcap.out b/test/results/zoom.pcap.out index c9b8bf3e3..bdd858d7e 100644 --- a/test/results/zoom.pcap.out +++ b/test/results/zoom.pcap.out @@ -102,7 +102,7 @@ 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":112,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470165906,"flow_dst_last_pkt_time":1569520470280367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1569520470280367,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 01550{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470280708,"flow_dst_last_pkt_time":1569520470280793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5608,"midstream":0,"thread_ts_usec":1569520470280793,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569520470350181,"flow_dst_last_pkt_time":1569520466080774,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"thread_ts_usec":1569520470350181,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjK4AAAAQEICiWc3wRwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="} -01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":38450.6,"flow_max":210729,"flow_stddev":58459.6,"c_to_s_min":3,"c_to_s_avg":42276.9,"c_to_s_max":210729,"c_to_s_stddev":62418.1,"s_to_c_min":13,"s_to_c_avg":35074.5,"s_to_c_max":143960,"s_to_c_stddev":54507.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.9,"c_to_s_max":864,"c_to_s_stddev":271.5,"s_to_c_min":60,"s_to_c_avg":1095.4,"s_to_c_max":1506,"s_to_c_stddev":617.8}}} +01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":38469.9,"flow_max":210729,"flow_stddev":59394.9,"c_to_s_min":3,"c_to_s_avg":42592.9,"c_to_s_max":210729,"c_to_s_stddev":64597.3,"s_to_c_min":13,"s_to_c_avg":35074.5,"s_to_c_max":143960,"s_to_c_stddev":54507.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.9,"c_to_s_max":864,"c_to_s_stddev":271.5,"s_to_c_min":60,"s_to_c_avg":1095.4,"s_to_c_max":1506,"s_to_c_stddev":617.8}}} 01554{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520470666966,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520470666966,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1569520470666966,"pkt":"\/\/\/\/\/\/\/\/KDc3AG3ICABFAABI4PAAAEARFPDAqAF1wKgB\/+EV4RUANLyaU3BvdFVkcDAJFTOWktM6lAABAARIlcIDDi3QR5gZLZgtSkZtNr91y8rdz4k="} @@ -158,7 +158,7 @@ 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":286,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471221044,"flow_dst_last_pkt_time":1569520471255395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569520471255395,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01660{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":291,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471255585,"flow_dst_last_pkt_time":1569520471266033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5536,"midstream":0,"thread_ts_usec":1569520471266033,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":302,"source":"zoom.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471399595,"flow_dst_last_pkt_time":1569520467811636,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":113,"pkt_l4_len":79,"thread_ts_usec":1569520471399595,"pkt":"EBMx8Tl2KDc3AG3ICABFAABjAABAAEAGoUnAqAF1PpWYmdRFA+E5lpAkp\/QQcoAYEAA2VgAAAQEICiWc4viZh0dJFwMDACpAXTQxH2s8yyXvpDmREm16+\/VcNt\/x\/vlsIce1k7D8R+clMelpc+AJPCA="} -01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":28641.0,"flow_max":156067,"flow_stddev":39780.9,"c_to_s_min":3,"c_to_s_avg":28632.8,"c_to_s_max":156067,"c_to_s_stddev":36838.5,"s_to_c_min":1,"s_to_c_avg":28651.5,"s_to_c_max":156062,"s_to_c_stddev":43270.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":236.8,"c_to_s_max":1506,"c_to_s_stddev":344.5,"s_to_c_min":66,"s_to_c_avg":688.6,"s_to_c_max":1506,"s_to_c_stddev":655.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} +01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":28227.3,"flow_max":156067,"flow_stddev":40349.6,"c_to_s_min":3,"c_to_s_avg":27877.9,"c_to_s_max":156067,"c_to_s_stddev":37771.0,"s_to_c_min":1,"s_to_c_avg":28651.5,"s_to_c_max":156062,"s_to_c_stddev":43270.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":236.8,"c_to_s_max":1506,"c_to_s_stddev":344.5,"s_to_c_min":66,"s_to_c_avg":688.6,"s_to_c_max":1506,"s_to_c_stddev":655.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1569520471748648,"pkt":"EBMx8Tl2KDc3AG3ICABFAACHYY4AAEARSPnAqAF1bV6gY+PXImEAcwEfAQACfUZNNf\/9ojRJXQ1tO1HolgAAAAAAAAACAHoAKgB6ACoAAABADhc935YCXvuVxCQMI1O\/y\/Bgvpncu9jEece5cy1sdfpDYvCDXrg+TanGp+bzCbMeQN8Pa7V1aoQPcx2bwfanLQAAAAA="} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} @@ -171,7 +171,7 @@ 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":425,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471915269,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471915269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471915269,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":60620,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":442,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939789,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1569520471939789,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA\/uqdAADURuydtXqBjwKgBdSJh7MwAK7AuAgABgEJ0mpHOZDa3wq7Yfnt8kABaDj8AegDRAAAAAAAAAAA="} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":443,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1569520471939806,"pkt":"KDc3AG3IEBMx8Tl2CABFAAApuqhAADURuzxtXqBjwKgBdSJh7MwAFUSkAwAAAAF2Ko4UAFoOPwAAAAAA"} -01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":28,"flow_avg":10507.6,"flow_max":35562,"flow_stddev":8428.7,"c_to_s_min":4719,"c_to_s_avg":17280.3,"c_to_s_max":32217,"c_to_s_stddev":11351.0,"s_to_c_min":28,"s_to_c_avg":9806.9,"s_to_c_max":35562,"s_to_c_stddev":7734.8},"pktlen": {"c_to_s_min":55,"c_to_s_avg":103.0,"c_to_s_max":149,"c_to_s_stddev":38.4,"s_to_c_min":60,"s_to_c_avg":967.9,"s_to_c_max":1071,"s_to_c_stddev":303.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} +01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":28,"flow_avg":10365.7,"flow_max":35562,"flow_stddev":8525.9,"c_to_s_min":4719,"c_to_s_avg":18468.0,"c_to_s_max":32217,"c_to_s_stddev":13749.0,"s_to_c_min":28,"s_to_c_avg":9806.9,"s_to_c_max":35562,"s_to_c_stddev":7734.8},"pktlen": {"c_to_s_min":55,"c_to_s_avg":103.0,"c_to_s_max":149,"c_to_s_stddev":38.4,"s_to_c_min":60,"s_to_c_avg":967.9,"s_to_c_max":1071,"s_to_c_stddev":303.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00648{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":151,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":151,"pkt_l4_len":117,"thread_ts_usec":1569520473084563,"pkt":"EBMx8Tl2KDc3AG3ICABFAACJ4\/YAAEARxo7AqAF1bV6gY\/EjImEAde5DAQACOkSxT2rBSy0CI5EJ7ghSoQAAAAAAAAACAHoFYgB6BWIAAABAyr1YPP8KZ34wUqB9PR5Zle\/sBvgfAfGBqNzDFPjrnryOYaOvAtAdhsk5Sd978V5OWjrnwByNSAVBXX+sDOwgiv\/\/\/\/8KAA=="} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} diff --git a/test/results/zoom2.pcap.out b/test/results/zoom2.pcap.out index 62349bfb5..e5ea343c7 100644 --- a/test/results/zoom2.pcap.out +++ b/test/results/zoom2.pcap.out @@ -7,12 +7,12 @@ 01235{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458577638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965458578318,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","ja3":"832952db10f1453442636675bed2702b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01295{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458752945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1642965458752945,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01676{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458752990,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4096,"midstream":0,"thread_ts_usec":1642965458752990,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.sjc.zoom.us","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7"}}} -01606{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965459315313,"flow_dst_last_pkt_time":1642965459315763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3004,"flow_dst_tot_l4_payload_len":9722,"midstream":0,"thread_ts_usec":1642965459315763,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":94704824.0,"flow_max":3028729234,"flow_stddev":526966336.0,"c_to_s_min":1,"c_to_s_avg":178214208.0,"c_to_s_max":3028729234,"c_to_s_stddev":712628736.0,"s_to_c_min":2,"s_to_c_avg":60852.3,"s_to_c_max":198571,"s_to_c_stddev":85746.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":243.4,"c_to_s_max":1506,"c_to_s_stddev":372.6,"s_to_c_min":66,"s_to_c_avg":714.7,"s_to_c_max":1506,"s_to_c_stddev":603.3}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} +01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965459315313,"flow_dst_last_pkt_time":1642965459315763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3004,"flow_dst_tot_l4_payload_len":9722,"midstream":0,"thread_ts_usec":1642965459315763,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":58874.8,"flow_max":198571,"flow_stddev":83051.8,"c_to_s_min":1,"c_to_s_avg":57020.9,"c_to_s_max":182407,"c_to_s_stddev":80399.7,"s_to_c_min":2,"s_to_c_avg":60852.3,"s_to_c_max":198571,"s_to_c_stddev":85746.3},"pktlen": {"c_to_s_min":66,"c_to_s_avg":243.4,"c_to_s_max":1506,"c_to_s_stddev":372.6,"s_to_c_min":66,"s_to_c_avg":714.7,"s_to_c_max":1506,"s_to_c_stddev":603.3}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459595620,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":123,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965459595620,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1642965459595620,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1642965459595620,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXeHsAAEARZSPAqAGykMNJmuztImEAgzNnAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hPwBvYT8AAABA5tdm9ZTyTIyTAkYLAufeKJLgneU8bl8DozakMMlr\/JDYAlm5+8RxsTcW0dGDYHnKojsP3MD2C2S9PgF8PPhtdgAAAAAAQABAAAB1MAABAAMAAiAA"} 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1642965459696999,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1642965459696999,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXZlQAAEARd0rAqAGykMNJmuztImEAg30SAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hpABvYaQAAABASNx7XNkhaVV2TkWPa7HXWfzTaegL7lyuofS42ADMsef1ZS+nG51oqDil0vt0Fn4zbdXfyiCV8oAbYGEn4LlcKwAAAAAAQABAAAB1MAABAAMAAiAA"} 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1642965459696999,"flow_dst_last_pkt_time":1642965459762205,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965459762205,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvJFAADER8FuQw0mawKgBsiJh7O0ANHLoAgADyErEUocYzaK4R3obiZ8zgwBPg3gAb2E\/AAAAAAAAAAAAQABAAAPgAwA="} -01198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":21,"flow_avg":25610.3,"flow_max":166585,"flow_stddev":39867.5,"c_to_s_min":12330,"c_to_s_avg":64049.2,"c_to_s_max":101849,"c_to_s_stddev":36397.1,"s_to_c_min":21,"s_to_c_avg":18492.0,"s_to_c_max":166585,"s_to_c_stddev":36251.1},"pktlen": {"c_to_s_min":165,"c_to_s_avg":168.0,"c_to_s_max":170,"c_to_s_stddev":2.4,"s_to_c_min":60,"s_to_c_avg":820.7,"s_to_c_max":1078,"s_to_c_stddev":435.1}}} +01198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":21,"flow_avg":25414.0,"flow_max":166585,"flow_stddev":40490.2,"c_to_s_min":12330,"c_to_s_avg":72137.0,"c_to_s_max":101849,"c_to_s_stddev":36453.7,"s_to_c_min":21,"s_to_c_avg":18492.0,"s_to_c_max":166585,"s_to_c_stddev":36251.1},"pktlen": {"c_to_s_min":165,"c_to_s_avg":168.0,"c_to_s_max":170,"c_to_s_stddev":2.4,"s_to_c_min":60,"s_to_c_avg":820.7,"s_to_c_max":1078,"s_to_c_stddev":435.1}}} 00880{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00881{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":207,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460219455,"flow_dst_last_pkt_time":1642965460219455,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":123,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965460219455,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -23,10 +23,10 @@ 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1642965460317924,"flow_dst_last_pkt_time":1642965460395901,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965460395901,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvbFAADER7zuQw0mawKgBsiJh4wUANKrxAgADlUCX4nL8uBw5x1bMJMqfpQBPg3kAb2OvAAAAAAAAAAAAQABAAAPgAwA="} 00665{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":299,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1642965460461401,"flow_dst_last_pkt_time":1642965460359314,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"thread_ts_usec":1642965460461401,"pkt":"EBMx8Tl2KDc3AG3ICABFAACZ6kAAAEAR81vAqAGykMNJmuJhImEAhaEiAQADwkJYttycXaTnsMPEsai0ugAAAAAAAAACAG9koQBvZKEAAABA6DEQatkP0ZiaMugg0SFSq6JqmaXOleBRM3eRUGv0uLvPr6CL4g3oVryKRdoOzve7SJqEd+2jwB1vjsn7k5LMNv\/\/\/\/8AQABAAAB1MAABAAMAAiAACgA="} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1642965460461401,"flow_dst_last_pkt_time":1642965460546911,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965460546911,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvg1AAC8R8N+Qw0mawKgBsiJh4mEANErbAgADwkJYttycXaTnsMPEsai0ugBPg3oAb2Q7AAAAAAAAAAAAQABAAAPgAwA="} -01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":41845.4,"flow_max":176446,"flow_stddev":48388.4,"c_to_s_min":15,"c_to_s_avg":55881.6,"c_to_s_max":168367,"c_to_s_stddev":52474.8,"s_to_c_min":12,"s_to_c_avg":33423.6,"s_to_c_max":176446,"s_to_c_stddev":43646.3},"pktlen": {"c_to_s_min":130,"c_to_s_avg":166.2,"c_to_s_max":203,"c_to_s_stddev":16.0,"s_to_c_min":60,"s_to_c_avg":129.1,"s_to_c_max":178,"s_to_c_stddev":37.1}}} +01193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":12,"flow_avg":42778.1,"flow_max":176446,"flow_stddev":48878.6,"c_to_s_min":15,"c_to_s_avg":59786.3,"c_to_s_max":168367,"c_to_s_stddev":53112.8,"s_to_c_min":12,"s_to_c_avg":33423.6,"s_to_c_max":176446,"s_to_c_stddev":43646.3},"pktlen": {"c_to_s_min":130,"c_to_s_avg":166.2,"c_to_s_max":203,"c_to_s_stddev":16.0,"s_to_c_min":60,"s_to_c_avg":129.1,"s_to_c_max":178,"s_to_c_stddev":37.1}}} 00879{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00880{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} -01187{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":45261.5,"flow_max":187597,"flow_stddev":43042.3,"c_to_s_min":18,"c_to_s_avg":48417.3,"c_to_s_max":105625,"c_to_s_stddev":35316.9,"s_to_c_min":8,"s_to_c_avg":42477.1,"s_to_c_max":187597,"s_to_c_stddev":48685.1},"pktlen": {"c_to_s_min":69,"c_to_s_avg":125.8,"c_to_s_max":185,"c_to_s_stddev":53.3,"s_to_c_min":60,"s_to_c_avg":86.9,"s_to_c_max":117,"s_to_c_stddev":23.2}}} +01187{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":8,"flow_avg":46715.2,"flow_max":187597,"flow_stddev":42950.9,"c_to_s_min":18,"c_to_s_avg":51861.4,"c_to_s_max":105625,"c_to_s_stddev":34035.9,"s_to_c_min":8,"s_to_c_avg":42477.1,"s_to_c_max":187597,"s_to_c_stddev":48685.1},"pktlen": {"c_to_s_min":69,"c_to_s_avg":125.8,"c_to_s_max":185,"c_to_s_stddev":53.3,"s_to_c_min":60,"s_to_c_avg":86.9,"s_to_c_max":117,"s_to_c_stddev":23.2}}} 00877{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00878{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00727{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11804,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965500049643,"flow_src_last_pkt_time":1642965500049643,"flow_dst_last_pkt_time":1642965500049643,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965500049643,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} |